Renseignement sur les menaces

États-Unis

45.198.224.244

FAI Vpsvault.host Ltd Première vue 16/06/2026 04:26 UTC Dernière vue 20/06/2026 16:03 UTC Risque Élevé

Période analysée : 2026-03-22 → 2026-06-20

Activité suspecte — risque 52/100 (Moyen) — MITRE TA0001 — confiance 100 % — via HTTPS — campagne /24 (45.198.224.0/24)

Campagne de scan — plusieurs IP du même /24 (45.198.224.0/24, ≥3 pairs)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 76/100 Élevé

Première observation 16/06/2026 04:26 UTC

Dernière observation 20/06/2026 16:03 UTC

Événements (période) 230

MITRE ATT&CK principal TA0001 168 occurrences

Activité suspecte — risque 52/100 (Moyen) — MITRE TA0001 — confiance 100 % — via HTTPS — campagne /24 (45.198.224.0/24)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%

Confiance 100 % — Score WAF 8 · Bonus corrélation +10

Comparaison ASN / FAI

ASN 215925 · 45.198.224.0/24 · AFRINIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 230 événements sur la période pour cette IP.

45.198.224.114 Sonde SSH 20/06/2026 16:35 UTC
45.198.224.141 Sonde SSH 20/06/2026 16:35 UTC
45.205.1.76 Sonde SAP ICM HTTP 20/06/2026 16:34 UTC
45.205.1.241 Sonde port 8899/TCP 20/06/2026 16:33 UTC
45.205.1.240 Scanner web 20/06/2026 15:54 UTC
45.205.1.242 kerberos 20/06/2026 15:51 UTC
45.205.1.245 Sonde port 5000/TCP 20/06/2026 15:46 UTC
45.205.1.244 Sonde jeu Unreal 20/06/2026 15:41 UTC

Événements (filtres)

230

Première observation

16/06/2026 04:26 UTC

Dernière observation

20/06/2026 16:03 UTC

Dernière activité (filtres)

20/06/2026 16:03 UTC

Événements 7j

230

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 173 HTTPS TCP 32 REMOTEANYTHING TCP 6 NODE HTTP TCP 5 GRAFANA TCP 4 HTTP ALT 8088 TCP 3 HTTP ALT 8081 TCP 3

HTTP

173

HTTPS

REMOTEANYTHING

NODE HTTP

GRAFANA

HTTP ALT 8088

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Vpsvault.host Ltd 0 Port 8443 web_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Reconnaissance

Vecteur d'attaque

http smuggling probe · via HTTPS:8443 · (tentative d'exploit)

Détails protocole

Aperçu payload

POST /api/route HTTP/1.1 Host: 62.3.50.33:8443 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.

Port / service

8443 · HTTPS

Service émulé

HTTPS

Raison confiance

Confiance 95 % — Motif catalogue confirmé

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Scan coordonné

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0842

Confiance

100% Corrélation +10

Famille de menace

web_injection

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

230 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

230 événement(s) — page 5/5

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 16:10:03 UTC	TCP	3002	—	Sonde port Sonde port · port 3002 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3002 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 60% Corrélation +10 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": null, "app_proto": null, "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "864a612e9da71754d8a8f5b0b8559f02761267f0", "event_fingerprint": "37265dffe08d24f42cf4795b1dd9c9776472f1eb", "classification_confidence": 0.6, "confidence": 0.6, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 10 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 3002, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "798f73845b2368b4e004d3647dcd7c4c3e2d0f76", "protocol_details": { "port": 3002 }, "attack_vector": "Sonde port \u00b7 port 3002 \u00b7 (sonde \/ probe)", "target_port_label": "3002", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 60, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 3002 }, "attack_vector": "Sonde port \u00b7 port 3002 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3002", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "behavior_alert_count": 1, "behavior_priority": 72 }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	http http · via HTTP:3002 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3002 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 61% Confiance classification 79% Corrélation +18 Risque capteur Faible · 35 Confiance : Confiance 61 % — Score WAF 20 · 1 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3002 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.5232314287976205, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 20, "risk_classification": 8, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 35, "tag_count": 2, "anomaly_count": 0, "campaign_key": "cd29e424d0e298012f91f1538147043ed7dc941d", "event_fingerprint": "1b45f184489a4badc621137cca8ff83506226041", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "17a9ecb20ce1daa2d85860631b083508", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 35 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%" }, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "confidence_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35, "correlation_boost": 18 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "confidence": 0.79, "classification_confidence": 0.79, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b432e35063d9399f59f11626b4f782f37144458", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close", "attack_vector": "http \u00b7 via HTTP:3002 \u00b7 (sonde \/ probe)", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 79, "confidence_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 35, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http \u00b7 via HTTP:3002 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nConnection: close", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua" ] }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541. Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Ne Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d336075c3988c6b7205cebd57d13f49ace6a0b3b", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 927, "payload_entropy": 5.673600599609936, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "4b936daaf05771106c4e9e218aef4ca574be3af3", "event_fingerprint": "bf03ca9fb1a0f9dec6126df8ed726e5611ba378c", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ea6889a59d080298a42c0e1b4758211", "payload_hash": "53cb0c8258d3b4de1b762c1455ad02f0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cd4ca81f6b34593ec3d50ababf62b768fd308b9a", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit)", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Accept Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 979, "payload_entropy": 5.672583842483796, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 11, "anomaly_count": 0, "campaign_key": "66b7f4dbefc344c97bfab79f1b08d2ae0383b3c7", "event_fingerprint": "e79001ee3a119372dc829d7a136765b7f5248fbb", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "b7134420f3980447c81724754cc580f7", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d201ce72ca19f59ce30a0bb2c799de858dbffec5", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Actio Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "8447a2dfcfbbdcc75d5b5272da958411ec73dd1a", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 943, "payload_entropy": 5.64950493041748, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "894f00c4dc1dcb80118004b2288c313de525170a", "event_fingerprint": "1de13953e8c14993362e3f8556080a54ec6fd4e4", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "93af66442f9c9958e5fcc0142d9e74de", "payload_hash": "e40374a7f73faeabc51c4d775f9ac25d", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Actio", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Actio", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1dc4a8248abd4f73f65d882269ee1719e45f32ee", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 16:10:03 UTC	TCP	3002 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3002 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWeb… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3002 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3002 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/134.0.6998.99 Mobile/15E148 Safari/604.1 Accept-E Meta JSON brut { "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "affd667937319ba36aa098ac5e3b53f4e282c1fe", "http_host_hash": "ee3abe830eee278c9a8f0ffd85f7b97f39c75219", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 978, "payload_entropy": 5.683625200268866, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3002, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "693618f0f750e0ce1ca6fc1a5db499e22c6b7ede", "event_fingerprint": "f68bcd64261e96dfd92de2d10a9459948774ed7b", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6990db627a3d5a6ae3f8a2c22924225b", "payload_hash": "84d2d0af619b4829508a157af062ec8d", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 3002, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-E", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\r\nAccept-E", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b2a94b9bf40b7e863a93dde13f3e0d55b803be6d", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026", "port": 3002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3002\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU", "target_port_label": "3002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3002" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti" ] }
16/06/2026 13:03:23 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Ac Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 977, "payload_entropy": 5.641083603876925, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 16, "anomaly_count": 0, "campaign_key": "17f8082b7177a6962da54a61b69b8c55587a2484", "event_fingerprint": "44273dd9b4c851d7b9a674b35acd2e74b843b306", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "811587fe2159ae34408e162f0301cd93", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAc", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAc", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "81b6e1e06d5d92dd060f61bd4180cf18d9a489cd", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, l… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) A Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "8563f2ed0fd1b3832e8c528ca96b1f98a5b0004e", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 946, "payload_entropy": 5.645635982494514, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "5286d7149cff2380a616c8211b39b63366c8dd6f", "event_fingerprint": "16e2c48fbcd6b17a02278bce3dc927a637697700", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fcf5bfa409c42db4e4a5f32bcc91f966", "payload_hash": "4953ee3a7b58093417a97f95a51e4779", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a0edb8f56f89ba470cd63c71bda0e529e90bce6", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit)", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 930, "payload_entropy": 5.637095497237025, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "355d7572ad0a2a31a82f6a17f7d1b0376cbe086a", "event_fingerprint": "bd2e4031bf04bf18dee63c7bcfc15bb898971b77", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "dda561c86ab5774044686fef8392941c", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44e2a43099d34945c7191ad929cd1637fe2ed8f0", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64)", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fac64969f9eca34262c56352be2d62dd2d22b1a0", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 906, "payload_entropy": 5.599525220763314, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 14, "anomaly_count": 0, "campaign_key": "5f81689c0d4c52be206bd91cfd395583910ca4a3", "event_fingerprint": "82784f43a5e9f3ee94ecdb86dca53a33b02b4a21", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f10b48170735feac18b44fa385fef37", "payload_hash": "f0b8a92631b02c3bb8c6372f9524f87a", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "75fb8c0b71087d3a4741acb4bdfe7b8063c75ba7", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Andr Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 980, "payload_entropy": 5.676213569280611, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "6f5948cef2533ee6717481d676f7cea8a7121fae", "event_fingerprint": "25e704f0aca0877f96ba11a8b72866ac12712632", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "7728c60ffe229ec70d198662c39b459a", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "601cfc62cdc00a88cceeba610e02133509a92495", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:22 UTC	TCP	3001 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3001 · (tentative d'exploit) · → /app	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3001 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) A Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3001 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-R Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 928, "payload_entropy": 5.633244314670457, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "355d7572ad0a2a31a82f6a17f7d1b0376cbe086a", "event_fingerprint": "ba76cda5a5de39507583c01573d44f59579b7605", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "317f87ea02f0c4d889f501ac8896505b", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-R", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fc4eb1153b3173439b22bf301e3db24f4c2ea3f1", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3001 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 13:03:21 UTC	TCP	3001 · GRAFANA	grafana	grafana probe grafana probe · via GRAFANA:3001 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur GRAFANA WAF — Recommandation Surveiller Tags grafana_emulated net_grafana_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3001 Chemin / cible — Service GRAFANA Pourquoi cette classification : Type « grafana_probe » (signaux protocolaires) · confiance 0% Confiance classification 10% Corrélation +10 Risque capteur Faible · 24 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "grafana", "app_proto": "grafana", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 24, "tag_count": 2, "anomaly_count": 0, "campaign_key": "fa5e9f89adb2c47cafc508db34cacd873d1de716", "event_fingerprint": "0f885f7557e23a2165fec6e25217796b52e0b682", "classification_reason": "Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.1, "classification_confidence": 0.1, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 24, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "grafana", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6fe594699bf22753f400c105c5e66cd2" }, "target_context": { "dst_port": 3001, "service": "grafana", "service_name": "grafana", "risk_score": 24 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a45c6598dfbd7f36d43b9df396afaa630d6ff129", "protocol_details": { "port": 3001, "service": "grafana", "service_label_fr": "GRAFANA" }, "attack_vector": "grafana probe \u00b7 via GRAFANA:3001 \u00b7 (sonde \/ probe)", "target_port_label": "3001 \u00b7 GRAFANA", "emulator_service": "grafana", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab grafana_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 10, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 24, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 24, "risk_label": "Faible", "service_name": "grafana", "service_label_fr": "GRAFANA", "dst_port": 3001, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-grafana", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 3001, "service": "grafana", "service_label_fr": "GRAFANA" }, "attack_vector": "grafana probe \u00b7 via GRAFANA:3001 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3001 \u00b7 GRAFANA", "emulator_service": "grafana", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "grafana", "service_banner": "honeypot-grafana", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "grafana_emulated", "net_grafana_probe" ] }
16/06/2026 13:03:21 UTC	TCP	3001 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:3001 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3001 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 92% Corrélation +18 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3001 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2033360d0a0d0a7b226461746162617365223a226f6b222c2276657273696f6e223a2231302e322e30227d", "emulator_response_len": 107, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "68964bd149320edbceb0d6a222e6bc3e0bdb74e3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.510649970428229, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3001, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a03f8e495fb2c8a4b497319935cd9db363466aea", "event_fingerprint": "da23c40320a3e9c3f4c59c38b781fb247e83e390", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8cdda30c43b2dd7c07f4801c1b61cc70", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 3001, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e015661753fc64a5a3205772e3dabde2526361d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:3001 \u00b7 (sonde \/ probe)", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 92, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3001, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:3001 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3001\r\nConnection: close", "target_port_label": "3001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 92 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "grafana", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 5, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
16/06/2026 07:31:13 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Andr Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 987, "payload_entropy": 5.690695027549453, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 13, "anomaly_count": 0, "campaign_key": "e2df49b40bff1bf1c835e3051e5e684779804c0d", "event_fingerprint": "9ba584fdc39f150e7c51f1e0eda84d67437d8d65", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "45218565b5d869d627a7349a736d6b35", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d62c49acda47ab3ac9610bdbb775604152aceb8b", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Andr", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:13 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /app	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 951, "payload_entropy": 5.652409630981394, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 12, "anomaly_count": 0, "campaign_key": "8a7a730e3bd4ed5a37303ee15b632ec4892de342", "event_fingerprint": "1fc6a70736a43e88c6e8fca79595036b64f26a25", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "87ed84b01bcaca157f97e434bcaa1665", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNe", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7619563e25a6b63090e359146b12db88542734fa", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:13 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007;… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 513 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.103 Mobile Safari/ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1978af5307537775fab4b66b0f1439319be37ce1", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 987, "payload_entropy": 5.664523870539842, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 16, "anomaly_count": 0, "campaign_key": "1ad596657217a260bbfde7bd7dbf8675ae0c20d6", "event_fingerprint": "46fad7a80ac53c3981cf28756f763ab2003e70d5", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7967be4fa492cfad4b86b41e3ae090e9", "payload_hash": "558741a1d48dc05d8b06ee4182d47a07", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6541a3c734c567de9caba795c4c6b42bae5b1e98", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 513\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:12 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /_next	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 507 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; W Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 507 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 939, "payload_entropy": 5.657146249718423, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 12, "anomaly_count": 0, "campaign_key": "8a7a730e3bd4ed5a37303ee15b632ec4892de342", "event_fingerprint": "997360954c933942c23581cb49e3850fdfacc7fc", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "41b8d90afa301ae08a109d54ea957298", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\n", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f3e0660f3aa9654e2fcfc94b4baeaf05ffec7d3b", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 507\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:12 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit) · → /api	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fac64969f9eca34262c56352be2d62dd2d22b1a0", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 905, "payload_entropy": 5.605397513701913, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 14, "anomaly_count": 0, "campaign_key": "21e9fae942f52cc8b549481060b39762751f902f", "event_fingerprint": "de9086070f98b0daf5d3dfd24e5a3bbeea980a1d", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f10b48170735feac18b44fa385fef37", "payload_hash": "d45a7a42a7af0daca280ad1560d265fb", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89465f6de370e56e22d8a331197edddfa52ffe47", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:11 UTC	TCP	8080 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:8080 · (tentative d'exploit)	Élevée	Élevé · 74
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +10 Risque capteur Élevé · 74 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:8080 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0 Accept-Encoding: gzip, deflate Next- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "a76e08b809549a8ef70acaf7074b5caa8a051858", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 949, "payload_entropy": 5.672032491151558, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 74, "tag_count": 13, "anomaly_count": 0, "campaign_key": "dd0c863e8e5b3de4c865bd32a64a191cc8f0cbbb", "event_fingerprint": "c1a9c1f6f187ad29e77be46b13b8ac844c709953", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64a32e80cd1b4b7b1af4cc78f58848ee", "payload_hash": "a35d83f746468780e009c9bba877cbf6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 74 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNext-", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\r\nAccept-Encoding: gzip, deflate\r\nNext-", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f96bc006a154697a39dc081859ab5ee9ba58e535", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 74\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (45.198.224.0\/24)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 74, "correlation_boost": 10 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 74, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 07:31:10 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_8080 http_alt_port net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8080 Chemin / cible — Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74% Confiance classification 84% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "986800c5ad65e75d541a277e48953dacf3f318da", "event_fingerprint": "5afc6680f618e490dc22cb875ac6d45b5c7d65ea", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.84, "classification_confidence": 0.84, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "945d6c54aac35f31bab6fba8d81332256826a36c", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 84, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 84 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_8080", "http_alt_port", "net_web_probe" ] }
16/06/2026 07:31:10 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 84% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.577316637094897, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 8080, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "37198db21b7202e636438aa5da36611eb6d754de", "event_fingerprint": "e8d7e440ce64622852a586f753bfe5d0110d3e76", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "15a4a5d6143f1183d398eba12061634b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.84, "classification_confidence": 0.84, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b4204193a4c25716fc1670ad0cebd9890311a42", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 84, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nConnection: close", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 84 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +10 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 4, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
16/06/2026 04:26:53 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /_next/server	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next/server UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 58 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next/server TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /_next/server Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next/server HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Requête brute (extrait) POST /_next/server HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate N Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "8447a2dfcfbbdcc75d5b5272da958411ec73dd1a", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "bef481449499f499a0b29ed75c9630076205b04f", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 952, "payload_entropy": 5.642716490179193, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "c36746a77281a9fce22e541072d4e4f0737c5351", "event_fingerprint": "87b00af68946e45a37698a12d54984fa7e6dffe5", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "93af66442f9c9958e5fcc0142d9e74de", "payload_hash": "7eedaf447dfc2c10aa5df213b36e68e5", "path_pattern_hash": "4d9c4ca8a8065d3ce7073b6b23f61056" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; ", "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nN", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh;", "evidence": { "method": "POST", "path": "\/_next\/server", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next\/server HTTP\/1.1", "request_sample": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nN", "payload_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e5536a4c7e1124e937417bab038c388432e85377", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh;", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next\/server", "request_line": "POST \/_next\/server HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next\/server", "evidence_snippet": "POST \/_next\/server HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Macintosh;", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:53 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /app	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /app UA Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /app TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /app Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /app HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4. Requête brute (extrait) POST /app HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 Accept-Encoding: gzip, de Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "22d9380abcdf97c82db21728e444020cf16735ea", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "0c35eebf403cf91fe77a64921d76aa1ca6411d20", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 961, "payload_entropy": 5.689062710877391, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "c38ba9371dae7cb9f392003889a5e2034699ce93", "event_fingerprint": "ae01e5d64c65059bfac3d910117e1109010c7099", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6c8160595869adea51d6742918f57fdf", "payload_hash": "bc29f07aa5f31ffb4e1aee8ea13b2be7", "path_pattern_hash": "f53b52ad6d21cceb72dfa78fb67614fe" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "evidence": { "method": "POST", "path": "\/app", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/app HTTP\/1.1", "request_sample": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\r\nAccept-Encoding: gzip, de", "payload_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1bcdabe11a1088a3bc9e33aee4ff78bbe757f356", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/app", "request_line": "POST \/app HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app", "evidence_snippet": "POST \/app HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:53 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /api/route	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api/route UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 62 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api/route TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /api/route Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 10 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api/route HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86 Requête brute (extrait) POST /api/route HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 522 Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x X-Ne Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "1c1f86ba252c0c8ebc250acab48718f12d6d1efd", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "1a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 940, "payload_entropy": 5.640710689692344, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 16, "anomaly_count": 0, "campaign_key": "fe5171cbcf388509f61f3b6aecafcdfc099ea056", "event_fingerprint": "65e65f62aaa913ad704f645caea35cffc912e98f", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "72d43eb808798db218d063798749cc39", "payload_hash": "b717110770f8149e644f8617438b6176", "path_pattern_hash": "7c4fe35e07eebe8bea27a36c14378e32" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "evidence": { "method": "POST", "path": "\/api\/route", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api\/route HTTP\/1.1", "request_sample": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Ne", "payload_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1a816b242548ca399a4c76bb5027eeecafa8db42", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api\/route", "request_line": "POST \/api\/route HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/route", "evidence_snippet": "POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 522\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 10 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950468:nosqli-3", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_api_route_probe", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:52 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /_next	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /_next UA Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) Appl… Émulateur HTTP WAF 52 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /_next TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /_next Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 8 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /_next HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 Payload (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; Requête brute (extrait) POST /_next HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 518 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 9; AFTWMST22 Build/PS7233; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/88.0.4324.152 Mobile Safari/537.36 Accept Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1cafc1ec7983977ff1b9c77c60e09ef5fe869a95", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "afd9bdeafd8c657f6b493ada03c51e348516227b", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 980, "payload_entropy": 5.691202073357923, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "c38ba9371dae7cb9f392003889a5e2034699ce93", "event_fingerprint": "c49bbffea35129d829a515ff116f95c1704735dd", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c772734c6eb2978096c283068906aec3", "payload_hash": "9b98821f08e0ce5838ed317c3d9c63fb", "path_pattern_hash": "bfd33612e3863357684bd23d10455a76" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ", "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "evidence": { "method": "POST", "path": "\/_next", "user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0" ], "request_line": "POST \/_next HTTP\/1.1", "request_sample": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\r\nAccept", "payload_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7ea58965055c7edd14e6407f3d4b6c5e418a4a99", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/_next", "request_line": "POST \/_next HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88\u2026", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/_next", "evidence_snippet": "POST \/_next HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 518\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 8 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:52 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit) · → /api	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST /api UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100… Émulateur HTTP WAF 56 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST /api TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible /api Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST /api HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 k8s-api Payload (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win Requête brute (extrait) POST /api HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 517 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136. Accept-Encoding: gzip, deflate Next-Action: x X-Nextjs-Request-Id: poop1234 C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fac64969f9eca34262c56352be2d62dd2d22b1a0", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "ada91241341ae792ecf0a59cad28616a77bab856", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 905, "payload_entropy": 5.614241524043487, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 14, "anomaly_count": 0, "campaign_key": "1e67af4ace0fb9570a93d503a0db3591dd65e01e", "event_fingerprint": "4f99a7d92fe1c1e77fc3a3c563d97b11b0619181", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f10b48170735feac18b44fa385fef37", "payload_hash": "66eac3e7994e92148b12e0e6eb25bd2f", "path_pattern_hash": "702acf7c08d3b03b321d97b4903ad221" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "evidence": { "method": "POST", "path": "\/api", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "k8s-api" ], "request_line": "POST \/api HTTP\/1.1", "request_sample": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x\r\nX-Nextjs-Request-Id: poop1234\r\nC", "payload_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2085d546e7aa82aae66b2c033da0166884486ab1", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/api", "request_line": "POST \/api HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api", "evidence_snippet": "POST \/api HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950600:k8s-api", "http_contenttype_attack_surface", "http_probe_api", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:51 UTC	TCP	3000 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:3000 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3000 Chemin / cible / Service HTTP Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74% Confiance classification 92% Corrélation +18 Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 20 · 1 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3000 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 60, "payload_entropy": 4.502479553833678, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "acadabb6e608d1908fefd541c4cece676bd41c90", "event_fingerprint": "0a8ad1cb33910f55ec66abeb641b5eb23668cec0", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "597220e036db121e0b6ae329850b51eb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%" }, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.92, "classification_confidence": 0.92, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7dc19df7e993431aa64cf30efafc82ee2e53c1a4", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 92, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40, "correlation_boost": 18 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:3000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nConnection: close", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 92 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
16/06/2026 04:26:51 UTC	TCP	3000 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:3000 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, l… Émulateur HTTP WAF 55 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 3000 Chemin / cible / Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 9 tag(s) WAF Protocole émulé 1 Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Règles WAF sqli-4 rce-0 rce-2 rce-14 nosqli-3 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 508 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) A Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:3000 Content-Length: 508 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36 Accept-Encoding: gzip, deflate Next-Action: x Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "http_header_count": 9, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "8563f2ed0fd1b3832e8c528ca96b1f98a5b0004e", "http_host_hash": "46f5955a67387b75de712e640b0687c888a438e5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 926, "payload_entropy": 5.6423092073487044, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "http", "app_proto": "http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 6.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 75, "tag_count": 13, "anomaly_count": 0, "campaign_key": "acb91e0e53779c097d8d44be0ab94cc5fdd213a6", "event_fingerprint": "ed7cd4b5808a7b0088bf2b6ff027999d206ef1c8", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fcf5bfa409c42db4e4a5f32bcc91f966", "payload_hash": "b90e39f192d84c261ed2c716019112e6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3000, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "rce-14", "nosqli-3", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\r\nAccept-Encoding: gzip, deflate\r\nNext-Action: x", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "384a29926978850ab588716f52b687a53114a434", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit)", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 75, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36", "port": 3000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:3000 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:3000\r\nContent-Length: 508\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) A", "target_port_label": "3000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 9 tag(s) WAF", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "node-http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950382:rce-14", "950470:nosqli-3", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_contenttype_attack_surface", "http_prototype_pollution", "http_ssti", "net_web_probe" ] }
16/06/2026 04:26:50 UTC	TCP	3000 · NODE HTTP	node-http	Sonde HTTP Sonde HTTP · via NODE HTTP:3000 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur NODE-HTTP WAF — Recommandation Surveiller Tags net_web_probe node_http_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Service NODE HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 71% Confiance classification 81% Corrélation +10 Risque capteur Moyen · 40 Confiance : Confiance 71 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Vpsvault.host Ltd", "service": "node-http", "app_proto": "node-http", "asn": 215925, "country": "US", "dst_port": 3000, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7c356cd3f41196ebc417361b0f54b35bbef962c4", "event_fingerprint": "34fd482cd7628741af06d058b16059cafd546c90", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 215925, "org": "Vpsvault.host Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "node-http", "target_context": { "dst_port": 3000, "service": "node-http", "service_name": "node-http", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.81, "classification_confidence": 0.81, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9fbb176b8be7c53f9f74a0d17880aaafba7d2e40", "protocol_details": { "port": 3000, "service": "node-http", "service_label_fr": "NODE HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)", "target_port_label": "3000 \u00b7 NODE HTTP", "emulator_service": "node-http", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 81, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 40, "risk_label": "Moyen", "service_name": "node-http", "service_label_fr": "NODE HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-node-http", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "port": 3000, "service": "node-http", "service_label_fr": "NODE HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via NODE HTTP:3000 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3000 \u00b7 NODE HTTP", "emulator_service": "node-http", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 81 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (45.198.224.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "node_http", "service_banner": "honeypot-node-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "45.198.224.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_web_probe", "node_http_emulated" ], "behavior_alert_count": 1, "behavior_priority": 72 }

45.198.224.244

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence