|
|
TCP |
88 · KERBEROS
|
kerberos
|
kerberos
kerberos · via KERBEROS:88 · (sonde / probe)
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
KERBEROS
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
88
Chemin / cible
—
Service
KERBEROS
Payload
GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close
Pourquoi cette classification : Type « kerberos » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 1 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "6e82000c0a104142434445464748494a",
"emulator_response_len": 16,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "well_known",
"org": "Vpsvault.host Ltd",
"service": "kerberos",
"app_proto": "kerberos",
"asn": 215925,
"country": "US",
"dst_port": 88,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.5,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "8e9cb969ceab740c93efec9e791ca73d858fd046",
"event_fingerprint": "31e4a798ccff9624b861a6d5c96061ad06a8a14c",
"classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "kerberos",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "d6f845779b5f0a377f3854eb15f1b5b6"
},
"target_context": {
"dst_port": 88,
"service": "kerberos",
"service_name": "kerberos",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7c727866aecc7234e2975d9009b209aa393f0f34",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"port": 88,
"service": "kerberos",
"service_label_fr": "KERBEROS"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "kerberos \u00b7 via KERBEROS:88 \u00b7 (sonde \/ probe)",
"target_port_label": "88 \u00b7 KERBEROS",
"emulator_service": "kerberos",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "kerberos",
"service_label_fr": "KERBEROS",
"dst_port": 88,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-kerberos",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"port": 88,
"service": "kerberos",
"service_label_fr": "KERBEROS"
},
"attack_vector": "kerberos \u00b7 via KERBEROS:88 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "88 \u00b7 KERBEROS",
"emulator_service": "kerberos",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "kerberos",
"service_banner": "honeypot-kerberos",
"service_os": "linux",
"dst_port": "88"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
]
}
|
|
|
TCP |
8181 · HTTP
|
http
|
Sonde port 8181/TCP
port 8181 tcp · via HTTP:8181 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8181
Chemin / cible
/
Preuve honeypot — Sonde port 8181/TCP
Connexion détectée sur le port 8181 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8181_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8181,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "f0b43653fcbd76eee02bf3d5a7df293964891864",
"event_fingerprint": "7dc05c84705bb631a906361f6f851bd772b4c42a",
"classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8181,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a22e82457d27902ed70ab8bc1feda1139c957933",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8181,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 8181 tcp \u00b7 via HTTP:8181 \u00b7 (sonde \/ probe)",
"target_port_label": "8181 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8181,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8181,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 8181 tcp \u00b7 via HTTP:8181 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "8181 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8181"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8080 · HTTP
|
http
|
Sonde port 8080/TCP
port 8080 tcp · via HTTP:8080 · (sonde / probe)
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8080
Chemin / cible
/
Preuve honeypot — Sonde port 8080/TCP
Connexion détectée sur le port 8080 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8080_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Moyen
· 40
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8080,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 40,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "6b72789ba559a30d0f30c2aa10343244d74f282e",
"event_fingerprint": "122f6b472dc92a9979a36b83bcc8218f9cb29583",
"classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 40
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 40
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d1d6bb1f268f30f688653bc01ef8be37a15921fe",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 8080 tcp \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 40
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 8080 tcp \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8081 · HTTP
|
http
|
Sonde port 8081/TCP
port 8081 tcp · via HTTP:8081 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8081
Chemin / cible
/
Preuve honeypot — Sonde port 8081/TCP
Connexion détectée sur le port 8081 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8081_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8081,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "be4657ce52d3c7c246c62c1791104ff2773199e6",
"event_fingerprint": "232c358527f57073b8ce3ac2952e07107acffec0",
"classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8081,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4a98e1d8b413887775d3caffaeea3ac0a23678c3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8081,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 8081 tcp \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)",
"target_port_label": "8081 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8081,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8081,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 8081 tcp \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "8081 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8081"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8083 · HTTP
|
http
|
Sonde port 8083/TCP
port 8083 tcp · via HTTP:8083 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8083
Chemin / cible
/
Preuve honeypot — Sonde port 8083/TCP
Connexion détectée sur le port 8083 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8083_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8083,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "865f10df46a58aa51f18e87a7e20752382edd35c",
"event_fingerprint": "5ae896afc025344dead8f70651f37e38c582ab4f",
"classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8083,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f05565b4918615825d9b2375a25d342150d2f4e3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8083,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 8083 tcp \u00b7 via HTTP:8083 \u00b7 (sonde \/ probe)",
"target_port_label": "8083 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8083,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8083,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 8083 tcp \u00b7 via HTTP:8083 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "8083 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
81 · HTTP
|
http
|
Sonde port 81/TCP
port 81 tcp · via HTTP:81 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
81
Chemin / cible
/
Preuve honeypot — Sonde port 81/TCP
Connexion détectée sur le port 81 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_81_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "well_known",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 81,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "390e632f9c71147cf0806bc5a5704e8ff4323e7d",
"event_fingerprint": "93b99149c88203d13851e75b2e5467efcd0111cb",
"classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 81,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "67ba24782406fc84a3caefad199c00b5d1f1e1de",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 81,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 81 tcp \u00b7 via HTTP:81 \u00b7 (sonde \/ probe)",
"target_port_label": "81 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 81,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 81,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 81 tcp \u00b7 via HTTP:81 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "81 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "81"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
1111 · HTTP
|
http
|
Sonde port 1111/TCP
port 1111 tcp · via HTTP:1111 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
1111
Chemin / cible
/
Preuve honeypot — Sonde port 1111/TCP
Connexion détectée sur le port 1111 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_1111_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 1111,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "ea297c22c9b3f1f14cc6f6ddb3fc6aa88d165ae1",
"event_fingerprint": "a2620a823d751bad85b7b2ead0c891288e81bc46",
"classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1111,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1f371fef750cd67fb6865cd34b79c3f662ca2440",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 1111,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 1111 tcp \u00b7 via HTTP:1111 \u00b7 (sonde \/ probe)",
"target_port_label": "1111 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1111,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 1111,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 1111 tcp \u00b7 via HTTP:1111 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "1111 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1111"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8899 · HTTP
|
http
|
Sonde port 8899/TCP
port 8899 tcp · via HTTP:8899 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8899
Chemin / cible
/
Preuve honeypot — Sonde port 8899/TCP
Connexion détectée sur le port 8899 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8899_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8899,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "7ebdcbbac76e056f78f6e438c0be13aaecc1801c",
"event_fingerprint": "793795ecabb0e7b3bd3556d3c5479dad3f8b107e",
"classification_reason": "Type \u00ab port_8899_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8899,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8899_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "019e7128e36d280e74ce411e9f581c40551e9f71",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8899,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 8899 tcp \u00b7 via HTTP:8899 \u00b7 (sonde \/ probe)",
"target_port_label": "8899 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_8899_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_8899_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8899,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8899,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 8899 tcp \u00b7 via HTTP:8899 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "8899 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8899"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8443 · HTTPS
|
https
|
Sonde PostgreSQL
postgres probe · via HTTPS:8443 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
HTTPS
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_web_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8443
Chemin / cible
—
Service
HTTPS
Payload
�����������Ȩ���cݷ��i����������KJ��=?Ɠ�� ���eƅ�{�û��J�����\����<nH�&�z����+�/�,�0̨̩� ��� �����������c� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Ȩ���cݷ��i����������KJ��=?Ɠ�� ���eƅ�{�û��J�����\����<nH�&�z����+�/�,�0̨̩� ���
�����������c�����������������
Requête brute (extrait)
�����������Ȩ���cݷ��i����������KJ��=?Ɠ�� ���eƅ�{�û��J�����\����<nH�&�z����+�/�,�0̨̩� ��� �����������c� ��������������������������� ������������������� �������������������������2�����������������������������+� ����������3��������˷�5���� ~�8��]}�I5Ҥ
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 1487,
"payload_entropy": 7.720284290606485,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "https",
"app_proto": "https",
"asn": 215925,
"country": "US",
"dst_port": 8443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046",
"event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a1efd12a9dbd7d3829a07f829a7703ab",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 8443,
"service": "https",
"service_name": "https",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0228\ufffd\ufffd\u0014c\u0777\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdKJ\ufffd\ufffd=?\u0193\ufffd\ufffd \ufffd\ufffd\ufffde\u0185\ufffd{\u001c\u00fb\ufffd\u0001J\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd\u0019\ufffd<nH\ufffd&\ufffdz\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0228\ufffd\ufffd\u0014c\u0777\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdKJ\ufffd\ufffd=?\u0193\ufffd\ufffd \ufffd\ufffd\ufffde\u0185\ufffd{\u001c\u00fb\ufffd\u0001J\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd\u0019\ufffd<nH\ufffd&\ufffdz\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u02f7\ufffd5\ufffd\ufffd\u0012\ufffd\n~\ufffd8\ufffd\ufffd]}\ufffdI5\u04a4",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0228\ufffd\ufffd\u0014c\u0777\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdKJ\ufffd\ufffd=?\u0193\ufffd\ufffd \ufffd\ufffd\ufffde\u0185\ufffd{\u001c\u00fb\ufffd\u0001J\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd\u0019\ufffd<nH\ufffd&\ufffdz\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6636056a471658e055926404a215fb1843a6003e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0228\ufffd\ufffd\u0014c\u0777\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdKJ\ufffd\ufffd=?\u0193\ufffd\ufffd \ufffd\ufffd\ufffde\u0185\ufffd{\u001c\u00fb\ufffd\u0001J\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd\u0019\ufffd<nH\ufffd&\ufffdz\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "\ufffd\ufffd\u0228\ufffd\ufffdc\u0777\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdKJ\ufffd\ufffd=?\u0193\ufffd\ufffd \ufffd\ufffd\ufffde\u0185\ufffd{\u00fb\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd\ufffd<nH\ufffd&\ufffdz\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdc\ufffd",
"attack_vector": "postgres probe \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 8443,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0228\ufffd\ufffd\u0014c\u0777\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdKJ\ufffd\ufffd=?\u0193\ufffd\ufffd \ufffd\ufffd\ufffde\u0185\ufffd{\u001c\u00fb\ufffd\u0001J\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd\u0019\ufffd<nH\ufffd&\ufffdz\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "postgres probe \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\u0228\ufffd\ufffdc\u0777\ufffd\ufffdi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdKJ\ufffd\ufffd=?\u0193\ufffd\ufffd \ufffd\ufffd\ufffde\u0185\ufffd{\u00fb\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd\ufffd<nH\ufffd&\ufffdz\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdc\ufffd",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "8443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_web_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
7777 · GAME UNREAL
|
game-unreal
|
Sonde jeu Unreal
game-unreal · via GAME UNREAL:7777 · (sonde / probe)
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
GAME-UNREAL
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7777
Chemin / cible
—
Service
GAME UNREAL
Payload
GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close
Pourquoi cette classification : Type « game-unreal » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 1 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a",
"emulator_response_len": 42,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "game-unreal",
"app_proto": "game-unreal",
"asn": 215925,
"country": "US",
"dst_port": 7777,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "3e7ec7f3991985c9eedf55a9c367a039789da62e",
"event_fingerprint": "a35789f75452d6a73be983d5f266e3a77d710b7e",
"classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "game-unreal",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "10384eda5161b41f764c9b11f5a8ba8f"
},
"target_context": {
"dst_port": 7777,
"service": "game-unreal",
"service_name": "game-unreal",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "573eb95ef8f84cc7da981b47951c693b05a7e3e6",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"port": 7777,
"service": "game-unreal",
"service_label_fr": "GAME UNREAL"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "game-unreal \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)",
"target_port_label": "7777 \u00b7 GAME UNREAL",
"emulator_service": "game-unreal",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "game-unreal",
"service_label_fr": "GAME UNREAL",
"dst_port": 7777,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-game-unreal",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"port": 7777,
"service": "game-unreal",
"service_label_fr": "GAME UNREAL"
},
"attack_vector": "game-unreal \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "7777 \u00b7 GAME UNREAL",
"emulator_service": "game-unreal",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "game_unreal",
"service_banner": "honeypot-game-unreal",
"service_os": "linux",
"dst_port": "7777"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
],
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
8085 · HTTP
|
http
|
Sonde port 8085/TCP
port 8085 tcp · via HTTP:8085 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8085
Chemin / cible
/
Preuve honeypot — Sonde port 8085/TCP
Connexion détectée sur le port 8085 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8085_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8085,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.1,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "de578c983cf6ca85fdb286751bcffe843d981741",
"event_fingerprint": "b83aea09999e0a97772ac80be9abdd6aac8e5919",
"classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8085,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "26620ceda2ea2f2c5dd47d6c144341271dd263f7",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8085,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 8085 tcp \u00b7 via HTTP:8085 \u00b7 (sonde \/ probe)",
"target_port_label": "8085 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8085,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8085,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 8085 tcp \u00b7 via HTTP:8085 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "8085 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8085"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8181 · HTTP
|
http
|
Sonde port 8181/TCP
port 8181 tcp · via HTTP:8181 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8181
Chemin / cible
/
Preuve honeypot — Sonde port 8181/TCP
Connexion détectée sur le port 8181 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8181_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8181,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "f0b43653fcbd76eee02bf3d5a7df293964891864",
"event_fingerprint": "7dc05c84705bb631a906361f6f851bd772b4c42a",
"classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8181,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a22e82457d27902ed70ab8bc1feda1139c957933",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8181,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 8181 tcp \u00b7 via HTTP:8181 \u00b7 (sonde \/ probe)",
"target_port_label": "8181 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8181,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8181,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 8181 tcp \u00b7 via HTTP:8181 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "8181 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8181"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8090 · HTTP
|
http
|
Sonde port 8090/TCP
port 8090 tcp · via HTTP:8090 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8090
Chemin / cible
/
Preuve honeypot — Sonde port 8090/TCP
Connexion détectée sur le port 8090 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8090_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8090,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "8260f75b8d725411979b253a9fd305d6c8984f54",
"event_fingerprint": "9028a01c41411dd97fdbb8cc9621b5ff48076aae",
"classification_reason": "Type \u00ab port_8090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8090,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f6466fb11360891324d7d52b0b0014bca849b623",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 8090 tcp \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe)",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_8090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_8090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 38\/100 (Faible) \u2014 MITRE TA0007 \u2014 confiance 55 % \u2014 via HTTP",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 8090,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 8090 tcp \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "8090 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
1111 · HTTP
|
http
|
Sonde port 1111/TCP
port 1111 tcp · via HTTP:1111 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.68.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
1111
Chemin / cible
/
Preuve honeypot — Sonde port 1111/TCP
Connexion détectée sur le port 1111 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_1111_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 1111,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "ea297c22c9b3f1f14cc6f6ddb3fc6aa88d165ae1",
"event_fingerprint": "a2620a823d751bad85b7b2ead0c891288e81bc46",
"classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1111,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1f371fef750cd67fb6865cd34b79c3f662ca2440",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 1111,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "port 1111 tcp \u00b7 via HTTP:1111 \u00b7 (sonde \/ probe)",
"target_port_label": "1111 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1111,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.68.0",
"port": 1111,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 1111 tcp \u00b7 via HTTP:1111 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "1111 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1111"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8000 · SAP ICM
|
sap-icm
|
Sonde SAP ICM HTTP
Sonde SAP ICM / WebDynpro · via SAP ICM:8000 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SAP-ICM
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
net_sap_web_probe
sap_icm_emulated
sap_icm_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8000
Chemin / cible
—
Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 4 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c",
"emulator_response_len": 141,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "sap-icm",
"app_proto": "sap-icm",
"asn": 215925,
"country": "US",
"dst_port": 8000,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 48,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 0,
"protocol": 48,
"novelty": 15
},
"risk_score": 34,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "5dd8b425ee22c6c2bdbfb7ac7e7032daa914f354",
"event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a",
"classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 0,
"protocol": 48,
"novelty": 15,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "sap-icm",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc"
},
"target_context": {
"dst_port": 8000,
"service": "sap-icm",
"service_name": "sap-icm",
"risk_score": 34
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"sap_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bf38f3f5ee1135c0e18cfda336cd76669075723a",
"protocol_details": {
"port": 8000,
"service": "sap-icm",
"service_label_fr": "SAP ICM"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)",
"target_port_label": "8000 \u00b7 SAP ICM",
"emulator_service": "sap-icm",
"confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 0,
"protocol": 48,
"novelty": 15,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "sap-icm",
"service_label_fr": "SAP ICM",
"dst_port": 8000,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sap-icm",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 8000,
"service": "sap-icm",
"service_label_fr": "SAP ICM"
},
"attack_vector": "Sonde SAP ICM \/ WebDynpro \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"target_port_label": "8000 \u00b7 SAP ICM",
"emulator_service": "sap-icm",
"confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sap_icm",
"service_banner": "honeypot-sap-icm",
"service_os": "linux",
"dst_port": "8000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"net_sap_web_probe",
"sap_icm_emulated",
"sap_icm_payload"
]
}
|
|
|
TCP |
81 · HTTP
|
http
|
Sonde port 81/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
81
Chemin / cible
/
Preuve honeypot — Sonde port 81/TCP
Connexion détectée sur le port 81 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_81_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "well_known",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 81,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "390e632f9c71147cf0806bc5a5704e8ff4323e7d",
"event_fingerprint": "93b99149c88203d13851e75b2e5467efcd0111cb",
"classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 81,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "67ba24782406fc84a3caefad199c00b5d1f1e1de",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 81,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "81"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8080 · HTTP
|
http
|
Sonde port 8080/TCP
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8080
Chemin / cible
/
Preuve honeypot — Sonde port 8080/TCP
Connexion détectée sur le port 8080 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8080_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Moyen
· 40
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8080,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 40,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "6b72789ba559a30d0f30c2aa10343244d74f282e",
"event_fingerprint": "122f6b472dc92a9979a36b83bcc8218f9cb29583",
"classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 40
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 40
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d1d6bb1f268f30f688653bc01ef8be37a15921fe",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 40
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8083 · HTTP
|
http
|
Sonde port 8083/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8083
Chemin / cible
/
Preuve honeypot — Sonde port 8083/TCP
Connexion détectée sur le port 8083 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8083_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8083,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "865f10df46a58aa51f18e87a7e20752382edd35c",
"event_fingerprint": "5ae896afc025344dead8f70651f37e38c582ab4f",
"classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8083,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f05565b4918615825d9b2375a25d342150d2f4e3",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8085 · HTTP
|
http
|
Sonde port 8085/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8085
Chemin / cible
/
Preuve honeypot — Sonde port 8085/TCP
Connexion détectée sur le port 8085 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8085_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8085,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.1,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "de578c983cf6ca85fdb286751bcffe843d981741",
"event_fingerprint": "b83aea09999e0a97772ac80be9abdd6aac8e5919",
"classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8085,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "26620ceda2ea2f2c5dd47d6c144341271dd263f7",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8085"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8081
|
http
|
Scanner web
|
Élevée
|
Faible · 17
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8081
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8081,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 17,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "be4657ce52d3c7c246c62c1791104ff2773199e6",
"event_fingerprint": "232c358527f57073b8ce3ac2952e07107acffec0",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8081,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0f0f0592143028f0dc98f131094fc398c2e4608b",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
88
|
kerberos
|
kerberos
|
Moyenne
|
Faible · 1
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
88
Chemin / cible
—
Pourquoi cette classification : Type « kerberos » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "6e82000c0a104142434445464748494a",
"emulator_response_len": 16,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "well_known",
"org": "Vpsvault.host Ltd",
"service": "kerberos",
"app_proto": "kerberos",
"asn": 215925,
"country": "US",
"dst_port": 88,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.5,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15
},
"risk_score": 1,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "8e9cb969ceab740c93efec9e791ca73d858fd046",
"event_fingerprint": "31e4a798ccff9624b861a6d5c96061ad06a8a14c",
"classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "d6f845779b5f0a377f3854eb15f1b5b6"
},
"target_context": {
"dst_port": 88,
"service": "kerberos"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7c727866aecc7234e2975d9009b209aa393f0f34",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
]
}
|
|
|
TCP |
8888
|
http
|
Scanner web
|
Élevée
|
Faible · 28
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8888
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "US",
"dst_port": 8888,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 28,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "e0db4986cd303a2bdf1668e4cfb3f7289d4e64d7",
"event_fingerprint": "02d83459edfce64ea9c4204521900a0d5452ec35",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0599"
],
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8888,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%"
},
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%",
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3674159bd90f0f04bf9f56ff051f27b6f08c8ac3",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8443
|
https
|
Sonde PostgreSQL
|
Élevée
|
Faible · 15
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_web_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8443
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������(�[��ꗛ���"Տs)��J3�wD�ȗH9@t, ����g���&EI���H��x����@���6e
t�����+�/�,�0̨̩� ���
�����������c�����������������
Requête brute (extrait)
�����������(�[��ꗛ���"Տs)��J3�wD�ȗH9@t, ����g���&EI���H��x����@���6e t�����+�/�,�0̨̩� ��� �����������c� ��������������������������� ������������������� �������������������������2�����������������������������+� ����������3����������A]W�fV.����,a 4���j
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 1487,
"payload_entropy": 7.733755266955517,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "https",
"app_proto": "https",
"asn": 215925,
"country": "US",
"dst_port": 8443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 15,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046",
"event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "186438b2eaf730f0b4bffdebb3932e72",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 8443,
"service": "https"
},
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003(\ufffd[\ufffd\u0002\ua5db\ufffd\ufffd\ufffd\"\u054fs)\ufffd\ufffdJ3\ufffdwD\ufffd\u0217H9@t, \u001a\ufffd\u000f\ufffdg\ufffd\u000e\ufffd&EI\u0010\ufffd\ufffdH\ufffd\u0002x\u0010\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd6e\rt\u0004\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003(\ufffd[\ufffd\u0002\ua5db\ufffd\ufffd\ufffd\"\u054fs)\ufffd\ufffdJ3\ufffdwD\ufffd\u0217H9@t, \u001a\ufffd\u000f\ufffdg\ufffd\u000e\ufffd&EI\u0010\ufffd\ufffdH\ufffd\u0002x\u0010\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd6e\rt\u0004\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffdA]W\u0017fV.\ufffd\u0003\ufffd\u001b,a\u000b4\u0011\ufffd\u0006j",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003(\ufffd[\ufffd\u0002\ua5db\ufffd\ufffd\ufffd\"\u054fs)\ufffd\ufffdJ3\ufffdwD\ufffd\u0217H9@t, \u001a\ufffd\u000f\ufffdg\ufffd\u000e\ufffd&EI\u0010\ufffd\ufffdH\ufffd\u0002x\u0010\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd6e\rt\u0004\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003(\ufffd[\ufffd\u0002\ua5db\ufffd\ufffd\ufffd\"\u054fs)\ufffd\ufffdJ3\ufffdwD\ufffd\u0217H9@t, \u001a\ufffd\u000f\ufffdg\ufffd\u000e\ufffd&EI\u0010\ufffd\ufffdH\ufffd\u0002x\u0010\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd6e\rt\u0004\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffdA]W\u0017fV.\ufffd\u0003\ufffd\u001b,a\u000b4\u0011\ufffd\u0006j",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003(\ufffd[\ufffd\u0002\ua5db\ufffd\ufffd\ufffd\"\u054fs)\ufffd\ufffdJ3\ufffdwD\ufffd\u0217H9@t, \u001a\ufffd\u000f\ufffdg\ufffd\u000e\ufffd&EI\u0010\ufffd\ufffdH\ufffd\u0002x\u0010\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd6e\rt\u0004\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "58a95259a00512137e075afce525516bd4981091",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_web_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
8801
|
http
|
Scanner web
|
Élevée
|
Faible · 18
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8801
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8801,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 18,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "12a59529462aaef8b9a32b31441476aba2edd604",
"event_fingerprint": "ed58fc0ca64b05d9728517d553a89cfb9855518b",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8801,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6c50d674c7bfefff30c39d0f7744e16e8d53c1bf",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
5000
|
http
|
Scanner web
|
Élevée
|
Faible · 15
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5000
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c",
"emulator_response_len": 158,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 5000,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 15,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "2c9e6de3d0ef08c3b213ac439c060c62edec0f6a",
"event_fingerprint": "2bc1c2cda4344dbe8adb234d705fd0cba69a3120",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5000,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e5739bfbd50fc03753aa5960ee7c009157165e64",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8899
|
http
|
Scanner web
|
Élevée
|
Faible · 13
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8899
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8899,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 13,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "7ebdcbbac76e056f78f6e438c0be13aaecc1801c",
"event_fingerprint": "793795ecabb0e7b3bd3556d3c5479dad3f8b107e",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8899,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b4b34cfe477fd739ce3cbae942ee0983cf10d38b",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
7777
|
http
|
Scanner web
|
Élevée
|
Faible · 17
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7777
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 7777,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.1,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 17,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "441be4cd2cb7f3c12f8123c3dd6c8571a1a794f5",
"event_fingerprint": "b3f46ed63fafdbe6dc14f602d6cf510f6d00d0e8",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7777,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d9e8ad4962b09790aa767254c8498817f0fe38b8",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8800
|
http
|
Scanner web
|
Élevée
|
Faible · 17
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8800
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8800,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.1,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 17,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "3f12b58264a4a8f3046396d6378a65e61f6df2f4",
"event_fingerprint": "e6640c6d3870992e0b8e6aebbdfbb668a25fb3ee",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8800,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "71f4f31e4aee017a33b27707ada31a72347a0bf2",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8899
|
http
|
Scanner web
|
Élevée
|
Faible · 13
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8899
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8899,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 13,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "7ebdcbbac76e056f78f6e438c0be13aaecc1801c",
"event_fingerprint": "793795ecabb0e7b3bd3556d3c5479dad3f8b107e",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8899,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b4b34cfe477fd739ce3cbae942ee0983cf10d38b",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8181
|
http
|
Scanner web
|
Élevée
|
Faible · 18
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8181
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8181,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 18,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "f0b43653fcbd76eee02bf3d5a7df293964891864",
"event_fingerprint": "7dc05c84705bb631a906361f6f851bd772b4c42a",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8181,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6b3212e37af26cdad9b642f5a330a9bf7267cd8e",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8443
|
https
|
Sonde PostgreSQL
|
Élevée
|
Faible · 15
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_web_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8443
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������n
ǥ�S������mگ�$��<��m�� @Jē� �ə�+��s�L\Gͦ�������ln���}�?�����+�/�,�0̨̩� ���
�����������c�����������������
Requête brute (extrait)
�����������n ǥ�S������mگ�$��<��m�� @Jē� �ə�+��s�L\Gͦ�������ln���}�?�����+�/�,�0̨̩� ��� �����������c� ��������������������������� ������������������� �������������������������2�����������������������������+� ����������3����������&�9C��4���������a��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 1487,
"payload_entropy": 7.748143389636892,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "https",
"app_proto": "https",
"asn": 215925,
"country": "SC",
"dst_port": 8443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 15,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046",
"event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d7cf11feac889a2e2c739d53dbeb390f",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 8443,
"service": "https"
},
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003n\n\u01e5\ufffdS\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\u06af\ufffd$\ufffd\ufffd<\u0000\ufffdm\ufffd\u0004\t@J\u0113\ufffd \ufffd\u0259\ufffd+\ufffd\u0012s\ufffdL\\G\u0366\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffdln\u0017\u0001\ufffd}\ufffd?\u0015\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003n\n\u01e5\ufffdS\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\u06af\ufffd$\ufffd\ufffd<\u0000\ufffdm\ufffd\u0004\t@J\u0113\ufffd \ufffd\u0259\ufffd+\ufffd\u0012s\ufffdL\\G\u0366\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffdln\u0017\u0001\ufffd}\ufffd?\u0015\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffd&\ufffd9C\ufffd\ufffd4\ufffd\u0005\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffda\ufffd\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003n\n\u01e5\ufffdS\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\u06af\ufffd$\ufffd\ufffd<\u0000\ufffdm\ufffd\u0004\t@J\u0113\ufffd \ufffd\u0259\ufffd+\ufffd\u0012s\ufffdL\\G\u0366\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffdln\u0017\u0001\ufffd}\ufffd?\u0015\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003n\n\u01e5\ufffdS\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\u06af\ufffd$\ufffd\ufffd<\u0000\ufffdm\ufffd\u0004\t@J\u0113\ufffd \ufffd\u0259\ufffd+\ufffd\u0012s\ufffdL\\G\u0366\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffdln\u0017\u0001\ufffd}\ufffd?\u0015\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffd&\ufffd9C\ufffd\ufffd4\ufffd\u0005\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffda\ufffd\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003n\n\u01e5\ufffdS\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\u06af\ufffd$\ufffd\ufffd<\u0000\ufffdm\ufffd\u0004\t@J\u0113\ufffd \ufffd\u0259\ufffd+\ufffd\u0012s\ufffdL\\G\u0366\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffdln\u0017\u0001\ufffd}\ufffd?\u0015\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "90c0a3342a8e95362844f74eb4f564332d9620bc",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_web_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
88
|
http
|
Scanner web
|
Élevée
|
Faible · 17
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
88
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "well_known",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 88,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 17,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "d2f487269863129f5601f31b6531c7479907873c",
"event_fingerprint": "fa17b6f9ffc0a884fcc54ad25019036664306546",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 88,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2e5e0e10deced5bf3b31460e8fd2914ddbbf5774",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8081
|
http
|
Scanner web
|
Élevée
|
Faible · 16
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8081
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8081,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 16,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "2d9c80e944c07b9cba1f72a339b05c14ab8199a8",
"event_fingerprint": "232c358527f57073b8ce3ac2952e07107acffec0",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8081,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "803224c64a3758a5d24e4132e5575cd1cb31329d",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
81
|
http
|
Scanner web
|
Élevée
|
Faible · 16
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
81
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "well_known",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 81,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 16,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "8e66c7dcfef475b3eba3e75bc1c8db47cdd1e617",
"event_fingerprint": "93b99149c88203d13851e75b2e5467efcd0111cb",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 81,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "768be7662a7ce8ab0d1f4390995207a32fc4935c",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
5000
|
http
|
Scanner web
|
Élevée
|
Faible · 15
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5000
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c",
"emulator_response_len": 158,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 5000,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 15,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "2c9e6de3d0ef08c3b213ac439c060c62edec0f6a",
"event_fingerprint": "2bc1c2cda4344dbe8adb234d705fd0cba69a3120",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5000,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e5739bfbd50fc03753aa5960ee7c009157165e64",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8083
|
http
|
Scanner web
|
Élevée
|
Faible · 17
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8083
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8083,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 17,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "654c4bd7853bec7c56d2079f64958f898634165f",
"event_fingerprint": "5ae896afc025344dead8f70651f37e38c582ab4f",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8083,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dd367b534537e0bdb433662a7fb8419a855d085f",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8888
|
http
|
Scanner web
|
Élevée
|
Faible · 28
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8888
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8888,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 28,
"tag_count": 6,
"anomaly_count": 1,
"campaign_key": "e0db4986cd303a2bdf1668e4cfb3f7289d4e64d7",
"event_fingerprint": "02d83459edfce64ea9c4204521900a0d5452ec35",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0599"
],
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8888,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%"
},
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%",
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3674159bd90f0f04bf9f56ff051f27b6f08c8ac3",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
|
|
|
TCP |
8085
|
http
|
Scanner web
|
Élevée
|
Faible · 17
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8085
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8085,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 17,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "c8c522684f23bf95ca5263812b8c85508430fc12",
"event_fingerprint": "b83aea09999e0a97772ac80be9abdd6aac8e5919",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8085,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c1a85f3cfcbd3cba72e6bd7be0f15b826b78b4c8",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8000
|
sap-icm
|
Sonde SAP ICM HTTP
|
Élevée
|
Faible · 8
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
net_sap_web_probe
sap_icm_emulated
sap_icm_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8000
Chemin / cible
—
Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c",
"emulator_response_len": 141,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "sap-icm",
"app_proto": "sap-icm",
"asn": 215925,
"country": "SC",
"dst_port": 8000,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 48,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 0,
"protocol": 48,
"novelty": 15
},
"risk_score": 8,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "5dd8b425ee22c6c2bdbfb7ac7e7032daa914f354",
"event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a",
"classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc"
},
"target_context": {
"dst_port": 8000,
"service": "sap-icm"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"sap_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bf38f3f5ee1135c0e18cfda336cd76669075723a",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"net_sap_web_probe",
"sap_icm_emulated",
"sap_icm_payload"
]
}
|
|
|
TCP |
8800
|
http
|
Scanner web
|
Élevée
|
Faible · 17
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8800
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8800,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.1,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 17,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "3f12b58264a4a8f3046396d6378a65e61f6df2f4",
"event_fingerprint": "e6640c6d3870992e0b8e6aebbdfbb668a25fb3ee",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8800,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "71f4f31e4aee017a33b27707ada31a72347a0bf2",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8080
|
http
|
SSRF interne
|
Élevée
|
Faible · 36
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8080
Chemin / cible
/
Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 58%
Confiance classification
58%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
DB-ssrf-0292
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8080,
"risk_waf": 32,
"risk_classification": 80,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 32,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 36,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "7f21de2459b95de36e436ede39a0811ba9f15cf9",
"event_fingerprint": "122f6b472dc92a9979a36b83bcc8218f9cb29583",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 58%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 69,
"precision_signals": [
"DB-ssrf-0292"
],
"kb_rule_ids": [
"DB-ssrf-0292"
],
"matched_patterns": [
"DB-ssrf-0292"
],
"matched_pattern_names": [
"DB-ssrf-0292"
],
"classification_parent": "ssrf_attack",
"risk_confidence_factor": 58,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8080,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.68.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 58%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "40f10e9b8cb45161e451c787a2a5faeac6699811",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
1111
|
http
|
Scanner web
|
Élevée
|
Faible · 28
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
1111
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 1111,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 28,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "ea297c22c9b3f1f14cc6f6ddb3fc6aa88d165ae1",
"event_fingerprint": "a2620a823d751bad85b7b2ead0c891288e81bc46",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1111,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"event_signature": "a2d977e0474dca3b4a737eaa62bec0116fc0030b",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
7777
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 26
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7777
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 7777,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.1,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 26,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "f384589288b8ee2829ce55cf5a4ad877285e676a",
"event_fingerprint": "3f3bba27c5f5df8bb9692f302bad7af2e5d64b9f",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7777,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"event_signature": "9f6ec4a516e72d1b86e8cdbf6c4f3142d55ca886",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8090
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 26
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8090
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8090,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.5,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 26,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "2dfc0958186d7eba6e4c60cbf36f6993c86f14d0",
"event_fingerprint": "f0ba12ea638bc63544a493d13ee885b92a15c40b",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8090,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"event_signature": "aab3614b3fb80ba265ae72788d5c9fe042f24e45",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8181
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 26
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8181
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8181,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 26,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "bdcacf923d4126ae93d063bb5593e5136abd5350",
"event_fingerprint": "9a52a781e557b9f140cd167860dc7e7a21b93d98",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8181,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"event_signature": "f3a37817e869a0ddc5cfd615cbe67dda69512735",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8801
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 26
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8801
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8801,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 26,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "bb8fbf0f436b909039eb7814ff8598bc019ef08c",
"event_fingerprint": "d3109d0598983dd95c3a4c5c9dc4abef915b5a14",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8801,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"event_signature": "d53c870963a4e03e476d6ce86b8716d547d55511",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8800
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 26
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8800
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8800,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.1,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 26,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "2dccde2851452d2992e059a1743c5d03f0383a70",
"event_fingerprint": "14fc127f6e5825ff1c1a148e1ae42725937533b6",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8800,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"event_signature": "47e8897d4fdb9cae71e8ec0e6a32596e30a77238",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8081
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 25
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8081
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8081,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 25,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "54885a9ace86894f06c0464c7d4990d8b6d87065",
"event_fingerprint": "6200042a8eedd96c47b109adc0963a36d177f604",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8081,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"event_signature": "ca2a3c4432b9b2439a7791d74397a9e53181cdb7",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8888
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 25
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8888
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8888,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 25,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "f2dcda65c91d293e695bc36d2aad0db8bd1b9ee1",
"event_fingerprint": "49f507c2cf48f6931b95b26ad1848f202640d676",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8888,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"event_signature": "c95da89c00229903d27f41e308e4b8bd64ec47c2",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
8080
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8080
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.68.0
Connection: close
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 62,
"payload_entropy": 4.732027963438207,
"port_category": "registered",
"org": "Vpsvault.host Ltd",
"service": "http",
"app_proto": "http",
"asn": 215925,
"country": "SC",
"dst_port": 8080,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 24,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "de8c40439a6148cda65c84a02ccf9959cb156646",
"event_fingerprint": "e8d7e440ce64622852a586f753bfe5d0110d3e76",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "SC",
"asn": 215925,
"org": "Vpsvault.host Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc",
"payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8080,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n",
"event_signature": "96b5ab0ad3215ea1b26efe3a6e6611376f83eb19",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_missing_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|