Renseignement sur les menaces

Seychelles

45.207.205.45

FAI FASTNET DATA INC Première vue 13/06/2026 18:13 UTC Dernière vue 13/06/2026 19:16 UTC Risque Moyen

Période analysée : 2026-05-16 → 2026-06-15

Activité suspecte — risque 51/100 (Moyen) — MITRE TA0001 — confiance 50 % — via HTTP

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 64/100 Moyen

Première observation 13/06/2026 18:13 UTC

Dernière observation 13/06/2026 19:16 UTC

Événements (période) 132

MITRE ATT&CK principal T1046 119 occurrences

Activité suspecte — risque 51/100 (Moyen) — MITRE TA0001 — confiance 50 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « xss_attack » (signaux protocolaires) · confiance 50%

Confiance 50 % — Score WAF 84 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 8796 · 45.207.204.0/23 · AFRINIC — 7 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 132 événements sur la période pour cette IP.

45.205.27.52 Sonde SSH 29/05/2026 11:09 UTC
156.238.224.50 Sonde SSH 25/04/2026 06:39 UTC
149.88.88.251 telnet attack 16/04/2026 20:11 UTC
156.238.252.133 Sonde SSH 21/02/2026 07:36 UTC
45.207.201.221 Sonde SSH 22/01/2026 19:17 UTC
156.238.252.46 Sonde SSH 02/01/2026 19:07 UTC
154.201.73.192 Sonde port 07/11/2025 20:20 UTC

Événements (filtres)

132

Première observation

13/06/2026 18:13 UTC

Dernière observation

13/06/2026 19:16 UTC

Dernière activité (filtres)

13/06/2026 19:16 UTC

Événements 7j

132

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 21 VNC TCP 6 Telnet TCP 4 REDIS TCP 4 NFS TCP 4 RSYNC TCP 4 RDP TCP 4 MEMCACHED TCP 3 HTTP ALT 8082 TCP 3 AMQP TCP 3 MONGODB TCP 3 FTP TCP 3 POSTGRES TCP 3 WEBLOGIC TCP 3 CASSANDRA TCP 3 MQTT TCP 3 HTTPS TCP 3 SAP ICM TCP 3 WEBMIN TCP 3 DOCKER TCP 3

HTTP

VNC

Telnet

REDIS

NFS

RSYNC

Géolocalisation

Origine réseau déclarée

Seychelles unknown unknown

FAI / réseau

Opérateur et dernière activité ban

FASTNET DATA INC 0 Port 8080 xss_attack

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

xss attack · via HTTP:8080 · (tentative d'exploit) · → /status

Détails protocole

Méthode: GET
Chemin: /status
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0

Aperçu payload

GET /status HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0

Port / service

8080 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 50 % — Motif catalogue confirmé · 3 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0284

Confiance

50% Confiance modérée — signal unique

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

132 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

132 événement(s) — page 1/3

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
13/06/2026 19:16:33 UTC	TCP	8080 · HTTP	http	Cross-site scripting xss attack · via HTTP:8080 · (tentative d'exploit) · → /status	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /status UA Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 http_probe_status Cible HTTP GET /status TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /status Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 51 Confiance : Confiance 50 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Ligne de requête `GET /status HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /status HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Requête brute (extrait) GET /status HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: iden Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 7, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "880d0c120dbf4497314046742f2cb6dbd4be704d", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "af24ddb2864923603b3fa1d79a557e18e6080953", "http_referer_hash": "595c3cce2409a55c13076f1bac5edee529fc2e58", "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 317, "payload_entropy": 5.417450684819197, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8080, "risk_waf": 84, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 51, "tag_count": 5, "anomaly_count": 0, "campaign_key": "805cfbda6105dbc671564d2d008b634ba7b21007", "event_fingerprint": "8002dbcdce8d628b0e62a91500fadfc84e28a6ab", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a59685e43b0ef4fb9f3e6765d2231094", "payload_hash": "bad687133d74960ccb74cd16f4431c95", "path_pattern_hash": "ae4267a01f1269fbbf4824d26cf3bb22" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r", "method": "GET", "path": "\/status", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/status HTTP\/1.1", "request_sample": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: iden", "payload_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "evidence": { "method": "GET", "path": "\/status", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/status HTTP\/1.1", "request_sample": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: iden", "payload_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8654bd3ab1915a12f23384c94362ca73812c609c", "protocol_details": { "http_method": "GET", "http_path": "\/status", "request_line": "GET \/status HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/status", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/status", "request_line": "GET \/status HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/status", "evidence_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "http_probe_status", "net_web_probe" ] }
13/06/2026 19:16:32 UTC	TCP	8080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8080 · (tentative d'exploit) · → /.svn/entries	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.svn/entries UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.… Émulateur HTTP WAF 33 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /.svn/entries TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.svn/entries Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — 5 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 ET .svn entries Probe /.svn/entries Ligne de requête `GET /.svn/entries HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15 Règles WAF rce-0 ssrf-3 nosqli-3 leak-6 Payload (extrait) GET /.svn/entries HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Requête brute (extrait) GET /.svn/entries HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Acce Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 7, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "svn\/entries", "http_ua_hash": "6bbf2729b77d83a6b06d37536b29c49acc003ee1", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "fec28f2e1aabccf1f7e02d7f5d2dd9dd95703725", "http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8", "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 330, "payload_entropy": 5.383799947586428, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 8, "anomaly_count": 0, "campaign_key": "2853b1b9e1e6529091a7863991bd0e13419e6e88", "event_fingerprint": "cd8cd522126d4b77a53b242af565821cf5ffad0c", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284", "pat-0750", "pat-0201" ], "matched_pattern_names": [ "CRS 941130", "ET .svn entries", "Probe \/.svn\/entries" ], "pattern_ids": [ "pat-0284", "pat-0750", "pat-0201" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "270d0df155109110f4b8961ca727937c", "payload_hash": "36d92a8c0e4289a54a87475e3d88dfce", "path_pattern_hash": "a8bfcf5717c2407f76d3bb4e6b62379c" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15", "method": "GET", "path": "\/.svn\/entries", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950519:leak-6" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-6" ], "request_line": "GET \/.svn\/entries HTTP\/1.1", "request_sample": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAcce", "payload_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15", "evidence": { "method": "GET", "path": "\/.svn\/entries", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950519:leak-6" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-6" ], "request_line": "GET \/.svn\/entries HTTP\/1.1", "request_sample": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAcce", "payload_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1a2c5d1170a882925951dc9949c57c165bfee028", "protocol_details": { "http_method": "GET", "http_path": "\/.svn\/entries", "request_line": "GET \/.svn\/entries HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15", "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.svn\/entries", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.svn\/entries", "request_line": "GET \/.svn\/entries HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.svn\/entries", "evidence_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950519:leak-6", "http_probe_svn", "http_sensitive_path", "net_web_probe" ] }
13/06/2026 19:16:29 UTC	TCP	8080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8080 · (tentative d'exploit) · → /web.config	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /web.config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /web.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /web.config Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 LFI IIS web.config Ligne de requête `GET /web.config HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15 Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 S Requête brute (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 7, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "6bbf2729b77d83a6b06d37536b29c49acc003ee1", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9", "http_referer_hash": "7c774392df25c0990a337dc8b862b783cd881b51", "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 330, "payload_entropy": 5.40427909025391, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8080, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 57, "tag_count": 5, "anomaly_count": 0, "campaign_key": "480b9acad89211481263cecadf14486b162a31f1", "event_fingerprint": "471e4385442f4b960146578510a7bcb25af0e0c2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284", "pat-0120" ], "matched_pattern_names": [ "CRS 941130", "LFI IIS web.config" ], "pattern_ids": [ "pat-0284", "pat-0120" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "270d0df155109110f4b8961ca727937c", "payload_hash": "ba625ca8694ccc6ae93598e07e255439", "path_pattern_hash": "0913647d7e838cdd727ceda37a671f37" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S", "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S", "evidence": { "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f65913340539d8a960a2685f2f074625c7f9344f", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S", "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
13/06/2026 19:16:28 UTC	TCP	8080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8080 · (tentative d'exploit) · → /.git/config	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.git/config UA Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 33 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /.git/config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.git/config Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0198 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Probe /.git/config Ligne de requête `GET /.git/config HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Règles WAF rce-0 ssrf-3 nosqli-3 leak-0 Payload (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/1 Requête brute (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 7, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "git\/config", "http_ua_hash": "880d0c120dbf4497314046742f2cb6dbd4be704d", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "e2f253eab0d0cf5422d24d22ae2a4954398768df", "http_referer_hash": "595c3cce2409a55c13076f1bac5edee529fc2e58", "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 322, "payload_entropy": 5.401451607643649, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 10, "anomaly_count": 0, "campaign_key": "19db4ae60e75e7e2e3bfa777e6cacb614c6a1d85", "event_fingerprint": "df5851a413a7a9b921ef143a6764b6ce2d04b977", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0198", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0198", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284", "pat-0198" ], "matched_pattern_names": [ "CRS 941130", "Probe \/.git\/config" ], "pattern_ids": [ "pat-0284", "pat-0198" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a59685e43b0ef4fb9f3e6765d2231094", "payload_hash": "4e5df09dfc25ea57397960363df5e5fd", "path_pattern_hash": "3ec26e4f0817b37785cd5e68fed88892" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "method": "GET", "path": "\/.git\/config", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/config HTTP\/1.1", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding:", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "evidence": { "method": "GET", "path": "\/.git\/config", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/config HTTP\/1.1", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding:", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "567daea565db6ff3a1a03302ea740655c1abc888", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/config", "request_line": "GET \/.git\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0198", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0198", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.git\/config", "request_line": "GET \/.git\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config", "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
13/06/2026 19:16:21 UTC	TCP	8080 · HTTP	http	Cross-site scripting xss attack · via HTTP:8080 · (tentative d'exploit) · → /robots.txt	Élevée	Moyen · 50
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /robots.txt UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 net_web_probe Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 50 Confiance : Confiance 50 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome Requête brute (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a436f6e74656e742d4c656e6774683a2032340d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a557365722d6167656e743a202a0a446973616c6c6f77", "emulator_response_len": 130, "http_header_count": 7, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "61b2fb88348adb0c454f69364a0bf16d1c9d26e5", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8", "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 338, "payload_entropy": 5.418706644793915, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8080, "risk_waf": 84, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9585a195073a27e014a113facb4d0d764adf6c54", "event_fingerprint": "cc2111032008d2e949a36a0b84b1737a64811bc7", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dbab6c4c65f4e975e43617cd246fbb8c", "payload_hash": "f58cf61805af4890b6e15ab5448e1487", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome", "method": "GET", "path": "\/robots.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bb307d72ddb778105df6b7488185dd3f704703a0", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome", "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/robots.txt", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 96 }
13/06/2026 19:16:20 UTC	TCP	8080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8080 · (tentative d'exploit) · → /.env	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /.env UA Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Probe /.env Ligne de requête `GET /.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Règles WAF rce-0 ssrf-3 nosqli-3 leak-1 Payload (extrait) GET /.env HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 A Requête brute (extrait) GET /.env HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identi Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 7, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env", "http_ua_hash": "880d0c120dbf4497314046742f2cb6dbd4be704d", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "9ee0d3f55b39072ba6bec6203d26e470be80afdc", "http_referer_hash": "7c774392df25c0990a337dc8b862b783cd881b51", "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 313, "payload_entropy": 5.431720669549327, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 8, "anomaly_count": 0, "campaign_key": "2cb8d79e71a8a4f1315c8d83ce3623f97a991ecc", "event_fingerprint": "8a2fe31cf18283ee1184898bdb31081d3839d5a9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284", "pat-0191" ], "matched_pattern_names": [ "CRS 941130", "Probe \/.env" ], "pattern_ids": [ "pat-0284", "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 64 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a59685e43b0ef4fb9f3e6765d2231094", "payload_hash": "dfe458bee7a5bfdda33931e6cf84ff08", "path_pattern_hash": "aef81e7735de8f42b73e111497498c8b" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nA", "method": "GET", "path": "\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env HTTP\/1.1", "request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identi", "payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nA", "evidence": { "method": "GET", "path": "\/.env", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env HTTP\/1.1", "request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identi", "payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nA", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "315bc5e8b80cc1f99660d78165eda81e3ad59653", "protocol_details": { "http_method": "GET", "http_path": "\/.env", "request_line": "GET \/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nA", "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 64 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/.env", "request_line": "GET \/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env", "evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nA", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_env", "http_sensitive_path", "net_web_probe" ] }
13/06/2026 19:16:19 UTC	TCP	8080 · HTTP	http	Cross-site scripting xss attack · via HTTP:8080 · (tentative d'exploit) · → /swagger-ui.html	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /swagger-ui.html UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 http_swagger_probe Cible HTTP GET /swagger-ui.html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /swagger-ui.html Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 51 Confiance : Confiance 50 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 ET swagger ui Ligne de requête `GET /swagger-ui.html HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /swagger-ui.html HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 C Requête brute (extrait) GET /swagger-ui.html HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,e Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a203130390d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b226f70656e617069223a22332e30", "emulator_response_len": 222, "http_header_count": 7, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "html", "http_ua_hash": "61b2fb88348adb0c454f69364a0bf16d1c9d26e5", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "0f5514f1110c12d9d5c0456d07668449b644af86", "http_referer_hash": "7c774392df25c0990a337dc8b862b783cd881b51", "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 345, "payload_entropy": 5.436961898447919, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8080, "risk_waf": 84, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 51, "tag_count": 5, "anomaly_count": 0, "campaign_key": "d0865531cc45c49f6541dfbf6b940906750493ec", "event_fingerprint": "f74f3faa9df699039279bdd97d947bb1c7a887e1", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0752" ], "matched_pattern_names": [ "CRS 941130", "ET swagger ui" ], "pattern_ids": [ "pat-0284", "pat-0752" ], "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dbab6c4c65f4e975e43617cd246fbb8c", "payload_hash": "fdc2a14faff58a532f9c10ccabe1272f", "path_pattern_hash": "a22855a05d60774e49fb1f0a65374b33" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C", "method": "GET", "path": "\/swagger-ui.html", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/swagger-ui.html HTTP\/1.1", "request_sample": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,e", "payload_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C", "evidence": { "method": "GET", "path": "\/swagger-ui.html", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/swagger-ui.html HTTP\/1.1", "request_sample": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,\/;q=0.8\r\nAccept-Language: en-US,e", "payload_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "078982503e15bb3decbad9e66a8ca4a9caa260f8", "protocol_details": { "http_method": "GET", "http_path": "\/swagger-ui.html", "request_line": "GET \/swagger-ui.html HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C", "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/swagger-ui.html", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 51 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/swagger-ui.html", "request_line": "GET \/swagger-ui.html HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/swagger-ui.html", "evidence_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "http_swagger_probe", "net_web_probe" ], "behavior_alert_count": 2, "behavior_priority": 72 }
13/06/2026 18:38:38 UTC	TCP	9042 · CASSANDRA	cassandra	Scan de ports port scan syn · via CASSANDRA:9042 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur CASSANDRA WAF — Recommandation Surveiller Tags cassandra_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9042 Chemin / cible — Service CASSANDRA Payload Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Mumble ping Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) Meta JSON brut { "protocol_emulated": true, "emulator_response": "840000000200000002", "emulator_response_len": 9, "bytes_in": 9, "payload_entropy": 0.9864267287308424, "port_category": "registered", "org": "FASTNET DATA INC", "service": "cassandra", "app_proto": "cassandra", "asn": 8796, "country": "SC", "dst_port": 9042, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "1003280d273727fcc08ab3d788c35acf5b6d718b", "event_fingerprint": "26d8e48a1f6752aca7f9494557834abf00d18b90", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0768", "pat-0554" ], "matched_pattern_names": [ "Mumble ping", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0768", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "cassandra", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5639e6990322230c72f701566cf7ac4b", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9042, "service": "cassandra", "service_name": "cassandra", "risk_score": 42 }, "payload_preview": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000", "request_sample": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000", "payload_snippet": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000", "payload_snippet": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5f2880a370b7bd09eb820101cdd3f1e0b5d401c0", "protocol_details": { "payload_preview": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000", "port": 9042, "service": "cassandra", "service_label_fr": "CASSANDRA" }, "attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)", "target_port_label": "9042 \u00b7 CASSANDRA", "emulator_service": "cassandra", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CASSANDRA \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "cassandra", "service_label_fr": "CASSANDRA", "dst_port": 9042, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000", "port": 9042, "service": "cassandra", "service_label_fr": "CASSANDRA" }, "attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "9042 \u00b7 CASSANDRA", "emulator_service": "cassandra", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra", "service_banner": "honeypot-cassandra", "service_os": "linux", "dst_port": "9042" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 36, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3389, 5000, 5432, 5672, 6379, 6443, 7001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 35, "scan_velocity_ports_per_s": 7.4, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_port_scan_fast" ] }
13/06/2026 18:38:37 UTC	TCP	8081 · HTTP ALT 8081	http-alt-8081	Scan de ports port scan syn · via HTTP ALT 8081:8081 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP-ALT-8081 WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8081 Chemin / cible — Service HTTP ALT 8081 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http-alt-8081", "app_proto": "http-alt-8081", "asn": 8796, "country": "SC", "dst_port": 8081, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "4c26c2b609b676bc5d714fe3251b5cdfdaaeb381", "event_fingerprint": "4b8d01bf5e0cd8f05e9c73ead2fc5951c1842a92", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http-alt-8081", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8081, "service": "http-alt-8081", "service_name": "http-alt-8081", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d14d91fd2da25abe99138129c9f0a9d0e3c5910d", "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)", "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8081 \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http-alt-8081", "service_label_fr": "HTTP ALT 8081", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8081", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8081", "service_banner": "honeypot-http-alt-8081", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 24, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 7001, 8000, 8001, 8080 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 24, "scan_velocity_ports_per_s": 5.27, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:38:37 UTC	TCP	10000 · WEBMIN	webmin	Scan de ports port scan syn · via WEBMIN:10000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur WEBMIN WAF — Recommandation Surveiller Tags net_port_scan_fast webmin_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10000 Chemin / cible — Service WEBMIN Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "webmin", "app_proto": "webmin", "asn": 8796, "country": "SC", "dst_port": 10000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "f6f8b00ee276ec0dc04212f7613c4569ede48db8", "event_fingerprint": "554995d9e038ae76febd9668bd51aadb43bc3553", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "webmin", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 10000, "service": "webmin", "service_name": "webmin", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "39ac1194cbe404eadcc6621ca158a2587ea268bb", "protocol_details": { "port": 10000, "service": "webmin", "service_label_fr": "WEBMIN" }, "attack_vector": "port scan syn \u00b7 via WEBMIN:10000 \u00b7 (reconnaissance)", "target_port_label": "10000 \u00b7 WEBMIN", "emulator_service": "webmin", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via WEBMIN \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "webmin", "service_label_fr": "WEBMIN", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-webmin", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 10000, "service": "webmin", "service_label_fr": "WEBMIN" }, "attack_vector": "port scan syn \u00b7 via WEBMIN:10000 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "10000 \u00b7 WEBMIN", "emulator_service": "webmin", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "webmin", "service_banner": "honeypot-webmin", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 25, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 7001, 8000, 8001, 8080 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 25, "scan_velocity_ports_per_s": 5.42, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "webmin_emulated" ] }
13/06/2026 18:38:37 UTC	TCP	8883 · MQTTS	mqtts	Scan de ports port scan syn · via MQTTS:8883 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MQTTS WAF — Recommandation Surveiller Tags mqtts_emulated mqtts_payload net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8883 Chemin / cible — Service MQTTS Payload �,��xbΠ��pJ-�d�#��\|�z+��n�OC��0�,�(�$�� kjih9876��2�.��&��=5��/�+�'�#�� Pourquoi cette classification :* Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �,��xbΠ��pJ-�d�#��\|�z+��n�OC��0�,�(�$�� kjih9876��2�.��&��=5��/�+�'�#�� Requête brute (extrait) �,��xbΠ��pJ-�d�#��\|�z+��n�OC��0�,�(�$�� kjih9876��2�.��&��=5��/�+�'�#�� g@?>3210��EDCB�1�-�)�%��</�A�� ' # Meta JSON brut { "protocol_emulated": true, "bytes_in": 517, "payload_entropy": 3.4340577034705113, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mqtts", "app_proto": "mqtts", "asn": 8796, "country": "SC", "dst_port": 8883, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c4033ab61ec9697334b22f595c6efd6935f96f2c", "event_fingerprint": "25dd54199c1aabd249dd54e6daebc9ce369e03f7", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0554", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "Minecraft varint handshake", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0554", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mqtts", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3392ade22e82a3454f0f4bd7c19eaf2e", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8883, "service": "mqtts", "service_name": "mqtts", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,\ufffd\ufffd\ufffdx\u001eb\u03a0\ufffd\ufffdpJ-\ufffdd\ufffd#\ufffd\ufffd\|\ufffdz+\ufffd\ufffd\ufffdn\ufffdOC\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,\ufffd\ufffd\ufffdx\u001eb\u03a0\ufffd\ufffdpJ-\ufffdd\ufffd#\ufffd\ufffd\|\ufffdz+\ufffd\ufffd\ufffdn\ufffdOC\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000g\u0000@\u0000?\u0000>\u00003\u00002\u00001\u00000\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000E\u0000D\u0000C\u0000B\ufffd1\ufffd-\ufffd)\ufffd%\ufffd\u000e\ufffd\u0004\u0000\ufffd\u0000<\u0000\/\u0000\ufffd\u0000A\ufffd\u0012\ufffd\b\u0000\u0016\u0000\u0013\u0000\u0010\u0000\r\ufffd\r\ufffd\u0003\u0000\n\u0000\u0007\ufffd\u0011\ufffd\u0007\ufffd\f\ufffd\u0002\u0000\u0005\u0000\u0004\u0000\ufffd\u0001\u0000\u0001'\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\n\u0000\b\u0000\u0017\u0000\u0019\u0000\u0018\u0000\u0016\u0000#\u0000\u0000\u0000\r\u0000 \u0000\u001e\u0006\u0001", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,\ufffd\ufffd\ufffdx\u001eb\u03a0\ufffd\ufffdpJ-\ufffdd\ufffd#\ufffd\ufffd\|\ufffdz+\ufffd\ufffd\ufffdn\ufffdOC\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "acd13291d2f75e2f2965a4e404d34fc27d532a3d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,\ufffd\ufffd\ufffdx\u001eb\u03a0\ufffd\ufffdpJ-\ufffdd\ufffd#\ufffd\ufffd\|\ufffdz+\ufffd\ufffd\ufffdn\ufffdOC\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "port": 8883, "service": "mqtts", "service_label_fr": "MQTTS" }, "evidence_snippet": "\ufffd,\ufffd\ufffd\ufffdxb\u03a0\ufffd\ufffdpJ-\ufffdd\ufffd#\ufffd\ufffd\|\ufffdz+\ufffd\ufffd\ufffdn\ufffdOC\ufffd\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdkjih9876\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\ufffd\ufffd=5\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\ufffd\t\ufffd\ufffd\ufffd", "attack_vector": "port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)", "target_port_label": "8883 \u00b7 MQTTS", "emulator_service": "mqtts", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTTS \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mqtts", "service_label_fr": "MQTTS", "dst_port": 8883, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mqtts", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,\ufffd\ufffd\ufffdx\u001eb\u03a0\ufffd\ufffdpJ-\ufffdd\ufffd#\ufffd\ufffd\|\ufffdz+\ufffd\ufffd\ufffdn\ufffdOC\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "port": 8883, "service": "mqtts", "service_label_fr": "MQTTS" }, "attack_vector": "port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd,\ufffd\ufffd\ufffdxb\u03a0\ufffd\ufffdpJ-\ufffdd\ufffd#\ufffd\ufffd\|\ufffdz+\ufffd\ufffd\ufffdn\ufffdOC\ufffd\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdkjih9876\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd.\ufffd*\ufffd&\ufffd\ufffd\ufffd=5\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\ufffd\t\ufffd\ufffd\ufffd", "target_port_label": "8883 \u00b7 MQTTS", "emulator_service": "mqtts", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtts", "service_banner": "honeypot-mqtts", "service_os": "linux", "dst_port": "8883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 26, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 7001, 8000, 8001, 8080 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 26, "scan_velocity_ports_per_s": 5.5, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "mqtts_emulated", "mqtts_payload", "net_port_scan_fast", "tls_clienthello" ] }
13/06/2026 18:38:37 UTC	TCP	5432 · POSTGRES	postgres	Scan de ports port scan syn · via POSTGRES:5432 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Handshake PostgreSQL (startup) Émulateur POSTGRES WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast postgres_emulated postgres_startup Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5432 Chemin / cible — Service POSTGRES Payload userscanner Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) userscanner Meta JSON brut { "protocol_emulated": true, "emulator_response": "0000001252000000057573657200706f73746772657300", "emulator_response_len": 23, "bytes_in": 22, "payload_entropy": 2.799007754410897, "port_category": "registered", "org": "FASTNET DATA INC", "service": "postgres", "app_proto": "postgres", "asn": 8796, "country": "SC", "dst_port": 5432, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e630f9be573024b55f1346457f24bb083f64639c", "event_fingerprint": "5302d14dbea4b63204d1ed61b172d5e31032aca7", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "postgres", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f7fc6a8deed7656fb98612c21bea0e33", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5432, "service": "postgres", "service_name": "postgres", "risk_score": 42 }, "payload_preview": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "request_sample": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "151424fdfba4bacb32bb39e6d094d6e0b37d1ced", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "payload_preview": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "evidence_snippet": "userscanner", "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via POSTGRES \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "postgres", "service_label_fr": "POSTGRES", "dst_port": 5432, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "PostgreSQL 15.4", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "payload_preview": "\u0000\u0000\u0000 \u0000\u0003\u0000\u0000user\u0000scanner\u0000\u0000", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "evidence_snippet": "userscanner", "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "postgres", "service_banner": "PostgreSQL 15.4", "service_os": "linux", "dst_port": "5432" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 27, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 5432, 6379, 6443, 7001, 8000, 8001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 27, "scan_velocity_ports_per_s": 5.69, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "postgres_emulated", "postgres_startup", "postgresql_probe" ] }
13/06/2026 18:38:37 UTC	TCP	9090 · HTTP	http	Scan de ports port scan syn · via HTTP:9090 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_port_scan_fast Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 55, "payload_entropy": 4.5038203952248335, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 9090, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b7f18f1a0cabbcc6383e6ae4ae4d271b7a8328f5", "event_fingerprint": "33c6161f9f6122bf85b3dfd1409afe494b5efcd9", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f0bf494803669a89021e5acd1315d539", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "56b5f924ef533a64ab01a89e42fc282608e31c46", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 9090, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:9090 \u00b7 (reconnaissance)", "target_port_label": "9090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9090, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 9090, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9090 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "9090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 5432, 6379, 6443, 7001, 8000, 8001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 28, "scan_velocity_ports_per_s": 5.86, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_port_scan_fast" ] }
13/06/2026 18:38:37 UTC	TCP	15672 · HTTP	http	Scan de ports port scan syn · via HTTP:15672 · (reconnaissance) · → /api/overview	Élevée	Moyen · 43
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /api/overview Émulateur HTTP WAF 10 Recommandation Surveiller Tags 950468:nosqli-3 950600:k8s-api http_no_ua http_probe_api Cible HTTP GET /api/overview TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 15672 Chemin / cible /api/overview Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3, k8s-api · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 43 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /api/overview HTTP/1.1` User-Agent — Règles WAF nosqli-3 k8s-api Payload (extrait) GET /api/overview HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "1d611ed6b1ee0513f83afa61908355db8590a6fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 67, "payload_entropy": 4.7319984742599495, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 15672, "risk_waf": 48, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 48, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "02457b60ea4e231bf6dfea74b5769c0df5619c40", "event_fingerprint": "000124bc4ef1e76abe7a49c220e988254f50bfc9", "classification_reason": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 48, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 43, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d8000b7777cba58b24f042676846c7bc", "path_pattern_hash": "f895a1ea84208a736ab1400709f45619" }, "target_context": { "dst_port": 15672, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/api\/overview", "waf_tags": [ "950468:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/overview HTTP\/1.1", "request_sample": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/api\/overview", "waf_tags": [ "950468:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/overview HTTP\/1.1", "request_sample": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1248cde5f051a5665f410ee7f26188688249bb94", "protocol_details": { "http_method": "GET", "http_path": "\/api\/overview", "request_line": "GET \/api\/overview HTTP\/1.1", "port": 15672, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:15672 \u00b7 (reconnaissance) \u00b7 \u2192 \/api\/overview", "target_port_label": "15672 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 48, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 43, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 15672, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/api\/overview", "request_line": "GET \/api\/overview HTTP\/1.1", "port": 15672, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:15672 \u00b7 (reconnaissance) \u00b7 \u2192 \/api\/overview", "evidence_snippet": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "15672 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 48 \u00b7 Bonus corr\u00e9lation +23 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "15672" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 29, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 5432, 6379, 6443, 7001, 8000, 8001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 29, "scan_velocity_ports_per_s": 5.98, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950468:nosqli-3", "950600:k8s-api", "http_no_ua", "http_probe_api", "net_port_scan_fast" ] }
13/06/2026 18:38:37 UTC	TCP	1883 · MQTT	mqtt	Scan de ports port scan syn · via MQTT:1883 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Connexion MQTT (CONNECT) Émulateur MQTT WAF — Recommandation Surveiller Tags mqtt_connect mqtt_emulated mqtt_payload net_bruteforce_burst Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1883 Chemin / cible — Service MQTT MQTT Connexion MQTT (CONNECT) Payload MQTT<hermes-scanner Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) MQTT protocol MQTT alt CONNECT Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) MQTT<hermes-scanner Meta JSON brut { "protocol_emulated": true, "emulator_response": "20020000", "emulator_response_len": 4, "bytes_in": 29, "payload_entropy": 4.004364184708143, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mqtt", "app_proto": "mqtt", "asn": 8796, "country": "SC", "dst_port": 1883, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "b9c613a1903c70705354025741e3b282488686d7", "event_fingerprint": "fee8f8e86b21ce5d7cca835e505fd9e20340232a", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0373", "pat-0615", "pat-0554" ], "matched_pattern_names": [ "MQTT protocol", "MQTT alt CONNECT", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0373", "pat-0615", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mqtt", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "af78af0e1a719a0f3346087d92f8a951", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 1883, "service": "mqtt", "service_name": "mqtt", "risk_score": 42 }, "payload_preview": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000", "request_sample": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000", "payload_snippet": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000", "evidence": { "request_sample": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000", "payload_snippet": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "210d2384f116b8df69785534628fb05f644e546f", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "payload_preview": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "evidence_snippet": "MQTT<hermes-scanner", "attack_vector": "port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTT \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mqtt", "service_label_fr": "MQTT", "dst_port": 1883, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "MQTT 3.1.1", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "payload_preview": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)", "evidence_snippet": "MQTT<hermes-scanner", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtt", "service_banner": "MQTT 3.1.1", "service_os": "iot", "dst_port": "1883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 30, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3389, 5000, 5432, 6379, 6443, 7001, 8000 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 29, "scan_velocity_ports_per_s": 8.56, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "mqtt_connect", "mqtt_emulated", "mqtt_payload", "net_bruteforce_burst", "net_port_scan_fast" ] }
13/06/2026 18:38:37 UTC	TCP	8088 · HTTP	http	Scan de ports port scan syn · via HTTP:8088 · (reconnaissance) · → /ws/v1/cluster/info	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /ws/v1/cluster/info Émulateur HTTP WAF 14 Recommandation Surveiller Tags 950316:lfi-14 950468:nosqli-3 http_no_ua net_port_scan_fast Cible HTTP GET /ws/v1/cluster/info TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8088 Chemin / cible /ws/v1/cluster/info Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /ws/v1/cluster/info HTTP/1.1` User-Agent — Règles WAF lfi-14 nosqli-3 Payload (extrait) GET /ws/v1/cluster/info HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "c02296e881191e48544b783d24172151ce54f953", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 73, "payload_entropy": 4.713816258032697, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8088, "risk_waf": 64, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 64, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 49, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4694935ab379d1e5f04b4c947f318db984986f79", "event_fingerprint": "595e713b8ed114cac6a88c996dbeb013a8846a42", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 64, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 49, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "69f3a2af423a7eb10207f4d021544387", "path_pattern_hash": "b97b519a961eb91b3adbe4bae2b7469b" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/ws\/v1\/cluster\/info HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/ws\/v1\/cluster\/info", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3" ], "waf_rule_names": [ "lfi-14", "nosqli-3" ], "request_line": "GET \/ws\/v1\/cluster\/info HTTP\/1.1", "request_sample": "GET \/ws\/v1\/cluster\/info HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ws\/v1\/cluster\/info HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/ws\/v1\/cluster\/info", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3" ], "waf_rule_names": [ "lfi-14", "nosqli-3" ], "request_line": "GET \/ws\/v1\/cluster\/info HTTP\/1.1", "request_sample": "GET \/ws\/v1\/cluster\/info HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ws\/v1\/cluster\/info HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "043635caf8876b329c415a7b0a58908ee4005720", "protocol_details": { "http_method": "GET", "http_path": "\/ws\/v1\/cluster\/info", "request_line": "GET \/ws\/v1\/cluster\/info HTTP\/1.1", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ws\/v1\/cluster\/info HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:8088 \u00b7 (reconnaissance) \u00b7 \u2192 \/ws\/v1\/cluster\/info", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 64, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 49, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/ws\/v1\/cluster\/info", "request_line": "GET \/ws\/v1\/cluster\/info HTTP\/1.1", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8088 \u00b7 (reconnaissance) \u00b7 \u2192 \/ws\/v1\/cluster\/info", "evidence_snippet": "GET \/ws\/v1\/cluster\/info HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +23 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 31, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3389, 5000, 5432, 6379, 6443, 7001, 8000 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 30, "scan_velocity_ports_per_s": 8.72, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950316:lfi-14", "950468:nosqli-3", "http_no_ua", "net_port_scan_fast" ] }
13/06/2026 18:38:37 UTC	TCP	5672 · AMQP	amqp	Scan de ports port scan syn · via AMQP:5672 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur AMQP WAF — Recommandation Surveiller Tags amqp_emulated amqp_handshake net_port_scan_fast rabbitmq_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5672 Chemin / cible — Service AMQP Payload AMQP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) AMQP protocol AMQP protocol header User-Agent — Règles WAF — Payload (extrait) AMQP Meta JSON brut { "protocol_emulated": true, "emulator_response": "414d515000000901010000000000000e000a000b000000000000000000", "emulator_response_len": 29, "bytes_in": 8, "payload_entropy": 2.75, "port_category": "registered", "org": "FASTNET DATA INC", "service": "amqp", "app_proto": "amqp", "asn": 8796, "country": "SC", "dst_port": 5672, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c1aa8bce132164e102c58afac0b2979156bed4b3", "event_fingerprint": "72ebc770e2cb1f40c3f18b5b4bc5c4fa513f5b29", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0371", "pat-0537" ], "matched_pattern_names": [ "AMQP protocol", "AMQP protocol header" ], "pattern_ids": [ "pat-0371", "pat-0537" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "amqp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bc2f502576523902588d3c36f36ea5a1", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5672, "service": "amqp", "service_name": "amqp", "risk_score": 42 }, "payload_preview": "AMQP\u0000\u0000\t\u0001", "request_sample": "AMQP\u0000\u0000\t\u0001", "payload_snippet": "AMQP\u0000\u0000\t\u0001", "evidence": { "request_sample": "AMQP\u0000\u0000\t\u0001", "payload_snippet": "AMQP\u0000\u0000\t\u0001", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a821aea75eb0f582f0d612305103cb4c3a8ea7d", "protocol_details": { "payload_preview": "AMQP\u0000\u0000\t\u0001", "port": 5672, "service": "amqp", "service_label_fr": "AMQP" }, "evidence_snippet": "AMQP", "attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)", "target_port_label": "5672 \u00b7 AMQP", "emulator_service": "amqp", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via AMQP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "amqp", "service_label_fr": "AMQP", "dst_port": 5672, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-amqp", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "AMQP\u0000\u0000\t\u0001", "port": 5672, "service": "amqp", "service_label_fr": "AMQP" }, "attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)", "evidence_snippet": "AMQP", "target_port_label": "5672 \u00b7 AMQP", "emulator_service": "amqp", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "amqp", "service_banner": "honeypot-amqp", "service_os": "linux", "dst_port": "5672" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 32, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3389, 5000, 5432, 5672, 6379, 6443, 7001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 31, "scan_velocity_ports_per_s": 8.96, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "amqp_emulated", "amqp_handshake", "net_port_scan_fast", "rabbitmq_probe" ] }
13/06/2026 18:38:37 UTC	TCP	8888 · HTTP	http	Scan de ports port scan syn · via HTTP:8888 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_port_scan_fast Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 55, "payload_entropy": 4.5038203952248335, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8888, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "05c58c5f19ad288de9a49d67ac759a6d356e63bd", "event_fingerprint": "80f2aa9a52b555c26e5706a111edbf5b4c7d378f", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f0bf494803669a89021e5acd1315d539", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c0e2e654b48ad25a812ff07195dc9c3e3d2b3b94", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8888, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)", "target_port_label": "8888 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8888, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8888, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "8888 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 33, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3389, 5000, 5432, 5672, 6379, 6443, 7001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 32, "scan_velocity_ports_per_s": 9.12, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_port_scan_fast" ] }
13/06/2026 18:38:37 UTC	TCP	8899	—	Scan de ports port scan syn · port 8899 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8899 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": null, "app_proto": null, "asn": 8796, "country": "SC", "dst_port": 8899, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 8, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "afc0b200edac86f190e0a27b340d58a500e24ec4", "event_fingerprint": "7f07ea3293347933c3fac46abf8a10ebef865f1d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8899, "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71785876e697554beb415bccbdbd283be1bbba9f", "protocol_details": { "port": 8899 }, "attack_vector": "port scan syn \u00b7 port 8899 \u00b7 (reconnaissance)", "target_port_label": "8899", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 8899, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8899 }, "attack_vector": "port scan syn \u00b7 port 8899 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8899", "emulator_service": null, "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "8899" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 34, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3389, 5000, 5432, 5672, 6379, 6443, 7001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 33, "scan_velocity_ports_per_s": 9.13, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:38:37 UTC	TCP	28080	—	Scan de ports port scan syn · port 28080 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 28080 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": null, "app_proto": null, "asn": 8796, "country": "SC", "dst_port": 28080, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 8, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "030863de9f8fb9061654405a1dec756cb9b35e6d", "event_fingerprint": "4f56b264f7d5f0a896faf463b1211986c71b8b79", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 28080, "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9e5235981516249f27cbd5d6469af2b836e1284a", "protocol_details": { "port": 28080 }, "attack_vector": "port scan syn \u00b7 port 28080 \u00b7 (reconnaissance)", "target_port_label": "28080", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 28080, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 28080 }, "attack_vector": "port scan syn \u00b7 port 28080 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "28080", "emulator_service": null, "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "28080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 35, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3389, 5000, 5432, 5672, 6379, 6443, 7001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 34, "scan_velocity_ports_per_s": 8.98, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:38:37 UTC	TCP	5901 · VNC	vnc	Scan de ports port scan syn · via VNC:5901 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VNC WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5901 Chemin / cible — Service VNC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "vnc", "app_proto": "vnc", "asn": 8796, "country": "SC", "dst_port": 5901, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "1b0a8dfabeea22865ca682ed240153e6e7261766", "event_fingerprint": "1f120765377258e8d734a87494c566260cf9e406", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "vnc", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5901, "service": "vnc", "service_name": "vnc", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6822bcdc268f5cd61436ff5b2c889cd3431ab479", "protocol_details": { "port": 5901, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5901 \u00b7 (reconnaissance)", "target_port_label": "5901 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VNC \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vnc", "service_label_fr": "VNC", "dst_port": 5901, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vnc", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5901, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5901 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5901 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vnc", "service_banner": "honeypot-vnc", "service_os": "linux", "dst_port": "5901" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 40, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 40, "scan_velocity_ports_per_s": 9.45, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports port scan syn · via ELASTICSEARCH:9200 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Requête Elasticsearch : / Émulateur ELASTICSEARCH WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_elasticsearch_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible / Service ELASTICSEARCH Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.0 Host: 62.3.50.33 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 1, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 36, "payload_entropy": 4.120635070586275, "port_category": "registered", "org": "FASTNET DATA INC", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 8796, "country": "SC", "dst_port": 9200, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 50, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "95e5a5bd0dfa3f57edfa45640d852970309324d2", "event_fingerprint": "51cd5383980c299a7513ab00aa13577eca9d42fc", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "061cf18e2bcd7614e9e52a476e472246", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac6748796e4d2cdb6951523b37012b3f99a351ec", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33", "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH:9200 \u00b7 (reconnaissance)", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via ELASTICSEARCH \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH:9200 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.0\r\nHost: 62.3.50.33", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +18 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 23, 873, 2049, 3389, 9200 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 1.14, "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_elasticsearch_probe" ] }
13/06/2026 18:38:36 UTC	TCP	6379 · REDIS	redis	Scan de ports port scan syn · via REDIS:6379 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde protocole Redis Émulateur REDIS WAF — Recommandation Surveiller Tags net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Service REDIS Redis Sonde protocole Redis Payload INFO server Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) INFO server Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 13, "payload_entropy": 3.392747410448785, "port_category": "registered", "org": "FASTNET DATA INC", "service": "redis", "app_proto": "redis", "asn": 8796, "country": "SC", "dst_port": 6379, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b10303bd0e441f9f60f46376cbc4ca72292b5068", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "redis", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f476d1064f00dd89417b202b45882197", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "INFO server\r\n", "request_sample": "INFO server\r\n", "payload_snippet": "INFO server", "evidence": { "request_sample": "INFO server\r\n", "payload_snippet": "INFO server", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b24cc91ed115e2f5aef131badbdc58808782a13f", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "INFO server", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "INFO server", "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via REDIS \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "INFO server", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "evidence_snippet": "INFO server", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 23, 873, 2049, 3389, 6379, 9200 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 1.42, "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_redis_probe", "redis_emulated" ] }
13/06/2026 18:38:36 UTC	TCP	2375 · DOCKER	docker	Scan de ports port scan syn · via DOCKER:2375 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /version HTTP/1.0 Host: 62.3.50.33 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /version HTTP/1.0 Host: 62.3.50.33 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 43, "payload_entropy": 4.454766207938903, "port_category": "registered", "org": "FASTNET DATA INC", "service": "docker", "app_proto": "docker", "asn": 8796, "country": "SC", "dst_port": 2375, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8c1839cdbd9fa9388eb8b04668a8b57ccf5e28c3", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 10, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9b1c5e487e7cfaf882da8b2a6931bd4c", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 42 }, "payload_preview": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "request_sample": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "evidence": { "request_sample": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a86d6437b4611276c7648b74f945db65fb91cca", "protocol_details": { "payload_preview": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 10, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "payload_preview": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/version HTTP\/1.0\r\nHost: 62.3.50.33", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 23, 873, 2049, 2375, 3389, 6379, 9200 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 6, "scan_velocity_ports_per_s": 1.7, "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "net_docker_api_probe" ] }
13/06/2026 18:38:36 UTC	TCP	8443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:8443 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload ��G��I� ��_�@=��nP�S2<��0�,�(�$�� kjih9876��2�.��&��=5��/�+�'�#�� Pourquoi cette classification :* Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��G��I� ��_�@=��nP�S2<��0�,�(�$�� kjih9876��2�.��&��=5��/�+�'�#�� Requête brute (extrait) ��G��I� ��_�@=��nP�S2<��0�,�(�$�� kjih9876��2�.��&��=5��/�+�'�#�� g@?>3210��EDCB�1�-�)�%��</�A�� ' # Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 517, "payload_entropy": 3.4074903195372235, "port_category": "registered", "org": "FASTNET DATA INC", "service": "https", "app_proto": "https", "asn": 8796, "country": "SC", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "Minecraft varint handshake", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0554", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bb3c3a279e0f3024a58c19e9ab3844d9", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffd\u0010\ufffd\ufffd\ufffd\u0006\ufffd\ufffdI\ufffd\r\ufffd\ufffd_\ufffd@=\ufffd\u0019\ufffd\ufffd\ufffdnP\ufffdS2\u0018<\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffd\u0010\ufffd\ufffd\ufffd\u0006\ufffd\ufffdI\ufffd\r\ufffd\ufffd_\ufffd@=\ufffd\u0019\ufffd\ufffd\ufffdnP\ufffdS2\u0018<\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000g\u0000@\u0000?\u0000>\u00003\u00002\u00001\u00000\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000E\u0000D\u0000C\u0000B\ufffd1\ufffd-\ufffd)\ufffd%\ufffd\u000e\ufffd\u0004\u0000\ufffd\u0000<\u0000\/\u0000\ufffd\u0000A\ufffd\u0012\ufffd\b\u0000\u0016\u0000\u0013\u0000\u0010\u0000\r\ufffd\r\ufffd\u0003\u0000\n\u0000\u0007\ufffd\u0011\ufffd\u0007\ufffd\f\ufffd\u0002\u0000\u0005\u0000\u0004\u0000\ufffd\u0001\u0000\u0001'\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\n\u0000\b\u0000\u0017\u0000\u0019\u0000\u0018\u0000\u0016\u0000#\u0000\u0000\u0000\r\u0000 \u0000\u001e\u0006\u0001", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffd\u0010\ufffd\ufffd\ufffd\u0006\ufffd\ufffdI\ufffd\r\ufffd\ufffd_\ufffd@=\ufffd\u0019\ufffd\ufffd\ufffdnP\ufffdS2\u0018<\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ddf4ef1bc4ff7f36ae0a55fcd51af394df74473", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffd\u0010\ufffd\ufffd\ufffd\u0006\ufffd\ufffdI\ufffd\r\ufffd\ufffd_\ufffd@=\ufffd\u0019\ufffd\ufffd\ufffdnP\ufffdS2\u0018<\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd\r\ufffd\ufffd_\ufffd@=\ufffd\ufffd\ufffd\ufffdnP\ufffdS2<\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdkjih9876\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\ufffd\ufffd=5\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\ufffd\t\ufffd\ufffd\ufffd", "attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffd\u0010\ufffd\ufffd\ufffd\u0006\ufffd\ufffdI\ufffd\r\ufffd\ufffd_\ufffd@=\ufffd\u0019\ufffd\ufffd\ufffdnP\ufffdS2\u0018<\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd\r\ufffd\ufffd_\ufffd@=\ufffd\ufffd\ufffd\ufffdnP\ufffdS2<\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdkjih9876\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd.\ufffd*\ufffd&\ufffd\ufffd\ufffd=5\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\ufffd\t\ufffd\ufffd\ufffd", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 23, 873, 2049, 2375, 3389, 6379, 8443, 9200 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 1.98, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello" ] }
13/06/2026 18:38:36 UTC	TCP	11211 · MEMCACHED	memcached	Scan de ports port scan syn · via MEMCACHED:11211 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MEMCACHED WAF — Recommandation Surveiller Tags memcached_emulated memcached_payload net_memcached_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 11211 Chemin / cible — Service MEMCACHED Memcached Requête stats Memcached (UDP/TCP) Payload stats Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Memcached stats Memcached stats ET Memcached UDP User-Agent — Règles WAF — Payload (extrait) stats Meta JSON brut { "protocol_emulated": true, "emulator_response": "454e440d0a", "emulator_response_len": 5, "bytes_in": 7, "payload_entropy": 2.2359263506290326, "port_category": "registered", "org": "FASTNET DATA INC", "service": "memcached", "app_proto": "memcached", "asn": 8796, "country": "SC", "dst_port": 11211, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "66464a82723b1788e29428c6a1128b7840beb1bb", "event_fingerprint": "2fcce8d4fd15e6ca50ec0235eeed2c6616def357", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0374", "pat-0533", "pat-0865" ], "matched_pattern_names": [ "Memcached stats", "Memcached stats", "ET Memcached UDP" ], "pattern_ids": [ "pat-0374", "pat-0533", "pat-0865" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "memcached", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "11e629574907d3a9ced402e26f4a98df", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 11211, "service": "memcached", "service_name": "memcached", "risk_score": 42 }, "payload_preview": "stats\r\n", "request_sample": "stats\r\n", "payload_snippet": "stats", "evidence": { "request_sample": "stats\r\n", "payload_snippet": "stats", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17158f55ce472e246caf20eb947d39c96ac2d05b", "protocol_details": { "memcached_stats_fr": "Requ\u00eate stats Memcached (UDP\/TCP)", "payload_preview": "stats", "port": 11211, "service": "memcached", "service_label_fr": "MEMCACHED" }, "evidence_snippet": "stats", "attack_vector": "port scan syn \u00b7 via MEMCACHED:11211 \u00b7 (reconnaissance)", "target_port_label": "11211 \u00b7 MEMCACHED", "emulator_service": "memcached", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MEMCACHED \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "memcached", "service_label_fr": "MEMCACHED", "dst_port": 11211, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-memcached", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "memcached_stats_fr": "Requ\u00eate stats Memcached (UDP\/TCP)", "payload_preview": "stats", "port": 11211, "service": "memcached", "service_label_fr": "MEMCACHED" }, "attack_vector": "port scan syn \u00b7 via MEMCACHED:11211 \u00b7 (reconnaissance)", "evidence_snippet": "stats", "target_port_label": "11211 \u00b7 MEMCACHED", "emulator_service": "memcached", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "memcached", "service_banner": "honeypot-memcached", "service_os": "linux", "dst_port": "11211" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 23, 873, 2049, 2375, 3389, 6379, 8443, 9200, 11211 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 8, "scan_velocity_ports_per_s": 2.26, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "memcached_emulated", "memcached_payload", "net_memcached_probe" ] }
13/06/2026 18:38:36 UTC	TCP	10250 · HTTP	http	Scan de ports port scan syn · via HTTP:10250 · (reconnaissance) · → /pods	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /pods Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_no_ua net_web_probe Cible HTTP GET /pods TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10250 Chemin / cible /pods Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Kubelet pods Ligne de requête `GET /pods HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /pods HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "59a6926bbb41b1ddf30b6bc032d8a4223f148f92", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 59, "payload_entropy": 4.583843210665387, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 10250, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "35da93185201bdedf8e92e7e69e98c4b4b9072c8", "event_fingerprint": "afd16ac0ae7757b5352f24da737d895e5ae88687", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0653" ], "matched_pattern_names": [ "Kubelet pods" ], "pattern_ids": [ "pat-0653" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b95676fe3044d38e0c626d1f59a65b77", "path_pattern_hash": "1444c195f4233af8530aa1bd4b4e2207" }, "target_context": { "dst_port": 10250, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/pods", "request_line": "GET \/pods HTTP\/1.1", "request_sample": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/pods", "request_line": "GET \/pods HTTP\/1.1", "request_sample": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0f14911a2b4f661a24b9bed9080b30d0710b5289", "protocol_details": { "http_method": "GET", "http_path": "\/pods", "request_line": "GET \/pods HTTP\/1.1", "port": 10250, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:10250 \u00b7 (reconnaissance) \u00b7 \u2192 \/pods", "target_port_label": "10250 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10250, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Kubernetes kubelet", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/pods", "request_line": "GET \/pods HTTP\/1.1", "port": 10250, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:10250 \u00b7 (reconnaissance) \u00b7 \u2192 \/pods", "evidence_snippet": "GET \/pods HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "10250 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "kubelet", "service_banner": "Kubernetes kubelet", "service_os": "linux", "dst_port": "10250" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 23, 873, 2049, 2375, 3389, 6379, 8443, 9200, 10250, 11211 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 9, "scan_velocity_ports_per_s": 2.54, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_no_ua", "net_web_probe" ] }
13/06/2026 18:38:36 UTC	TCP	8080 · HTTP	http	Scan de ports port scan syn · via HTTP:8080 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 55, "payload_entropy": 4.5038203952248335, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8080, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "37198db21b7202e636438aa5da36611eb6d754de", "event_fingerprint": "e8d7e440ce64622852a586f753bfe5d0110d3e76", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f0bf494803669a89021e5acd1315d539", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7ce22446e4ab7f72a9ae725fcad3b89283f55f8e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 23, 873, 2049, 2375, 3389, 6379, 8080, 8443, 9200, 10250, 11211 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 10, "scan_velocity_ports_per_s": 2.81, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_web_probe" ] }
13/06/2026 18:38:36 UTC	TCP	27017 · MONGODB	mongodb	Scan de ports port scan syn · via MONGODB:27017 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MONGODB WAF — Recommandation Surveiller Tags mongodb_emulated mongodb_enum_probe mongodb_hello_probe mongodb_wire_protocol Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 27017 Chemin / cible — Service MONGODB Payload �admin.$cmd��ismaster�?buildInfo�? Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Mongo buildInfo Mongo isMaster legacy Mongo ismaster command Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �admin.$cmd��ismaster�?buildInfo�? Meta JSON brut { "protocol_emulated": true, "emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00", "emulator_response_len": 62, "bytes_in": 81, "payload_entropy": 3.145504394696991, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mongodb", "app_proto": "mongodb", "asn": 8796, "country": "SC", "dst_port": 27017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "34db2551f255f2003a44fcbfe8b27fd39086a6e9", "event_fingerprint": "89c003b1f7f024618bebd2869d70fcbe185c35c2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0359", "pat-0363", "pat-0364", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo buildInfo", "Mongo isMaster legacy", "Mongo ismaster command", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0359", "pat-0363", "pat-0364", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mongodb", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5ec31e2904bf04b40da5c05e50ca54b0", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 27017, "service": "mongodb", "service_name": "mongodb", "risk_score": 42 }, "payload_preview": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "request_sample": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d0dce53057581db51b04ff012ea5463802bfe5c1", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "payload_preview": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "port": 27017, "service": "mongodb", "service_label_fr": "MONGODB" }, "evidence_snippet": "\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismaster\ufffd?buildInfo\ufffd?", "attack_vector": "port scan syn \u00b7 via MONGODB:27017 \u00b7 (reconnaissance)", "target_port_label": "27017 \u00b7 MONGODB", "emulator_service": "mongodb", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MONGODB \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mongodb", "service_label_fr": "MONGODB", "dst_port": 27017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mongodb", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "payload_preview": "\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001ismaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000buildInfo\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "port": 27017, "service": "mongodb", "service_label_fr": "MONGODB" }, "attack_vector": "port scan syn \u00b7 via MONGODB:27017 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismaster\ufffd?buildInfo\ufffd?", "target_port_label": "27017 \u00b7 MONGODB", "emulator_service": "mongodb", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mongodb", "service_banner": "honeypot-mongodb", "service_os": "linux", "dst_port": "27017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 23, 873, 2049, 2375, 3389, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 11, "scan_velocity_ports_per_s": 2.99, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_emulated", "mongodb_enum_probe", "mongodb_hello_probe", "mongodb_wire_protocol", "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	6379 · REDIS	redis	Scan de ports port scan syn · via REDIS:6379 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde protocole Redis Émulateur REDIS WAF — Recommandation Surveiller Tags net_port_scan_fast redis_emulated redis_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Service REDIS Redis Sonde protocole Redis Payload PING INFO server Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) PING INFO server Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b504f4e470d0a", "emulator_response_len": 7, "bytes_in": 19, "payload_entropy": 3.6163485660751635, "port_category": "registered", "org": "FASTNET DATA INC", "service": "redis", "app_proto": "redis", "asn": 8796, "country": "SC", "dst_port": 6379, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "682468d2f924e6d1c14d1cde4342358134bc1ee2", "event_fingerprint": "ad893b67498ef5007c1d8733f7eb11e5e6fc39df", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "redis", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "67a876fb8d199d3484763c3ff81a5c27", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "PING\r\nINFO server\r\n", "request_sample": "PING\r\nINFO server\r\n", "payload_snippet": "PING\r\nINFO server", "evidence": { "request_sample": "PING\r\nINFO server\r\n", "payload_snippet": "PING\r\nINFO server", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fb9a06d121104985d22cffdfd39764f1e9c93120", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "PING\r\nINFO server", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "PING\r\nINFO server", "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via REDIS \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "payload_preview": "PING\r\nINFO server", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "evidence_snippet": "PING\r\nINFO server", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 23, 873, 2049, 2375, 3389, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 11, "scan_velocity_ports_per_s": 2.84, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "redis_emulated", "redis_probe" ] }
13/06/2026 18:38:36 UTC	TCP	1433 · MSSQL	mssql	Scan de ports port scan syn · via MSSQL:1433 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MSSQL WAF — Recommandation Surveiller Tags mssql_emulated mssql_payload mssql_probe mssql_tds Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1433 Chemin / cible — Service MSSQL Payload 4"&� Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) MSSQL TDS prelogin Mumble ping Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) 4"&� Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f00001a00060000000000000000000000000000000000000000000000000000", "emulator_response_len": 33, "bytes_in": 56, "payload_entropy": 2.0032319580345135, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mssql", "app_proto": "mssql", "asn": 8796, "country": "SC", "dst_port": 1433, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2a87ced7345534fad07c06d5fee8831b7108526a", "event_fingerprint": "8f570cf827dc5baaefbcb07a060f98107c5249e5", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0519", "pat-0768", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Mumble ping", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0519", "pat-0768", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mssql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9c795ab9c68996bde49a052760707d45", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 1433, "service": "mssql", "service_name": "mssql", "risk_score": 42 }, "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d30d47f7877a4222f363d1243117824194e8a13", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "evidence_snippet": "4\"&\ufffd", "attack_vector": "port scan syn \u00b7 via MSSQL:1433 \u00b7 (reconnaissance)", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MSSQL \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mssql", "service_label_fr": "MSSQL", "dst_port": 1433, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mssql", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\"\u0000\u0004\u0004\u0000&\u0000\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "port scan syn \u00b7 via MSSQL:1433 \u00b7 (reconnaissance)", "evidence_snippet": "4\"&\ufffd", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mssql", "service_banner": "honeypot-mssql", "service_os": "linux", "dst_port": "1433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 13, "port_scan_ports_sample": [ 23, 873, 1433, 2049, 2375, 3389, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 12, "scan_velocity_ports_per_s": 3.1, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_emulated", "mssql_payload", "mssql_probe", "mssql_tds", "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	2376 · DOCKER TLS	docker-tls	Scan de ports port scan syn · via DOCKER TLS:2376 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur DOCKER-TLS WAF — Recommandation Surveiller Tags docker_api_probe docker_tls_emulated docker_tls_payload net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2376 Chemin / cible — Service DOCKER TLS Payload �2�L��^W��j�XXMׄ�7O�j�Uk�J��0�,�(�$�� kjih9876��2�.��&��=5��/�+�'�#�� Pourquoi cette classification :* Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �2�L��^W��j�XXMׄ�7O�j�Uk�J��0�,�(�$�� kjih9876��2�.��&��=5��/�+�'�#�� Requête brute (extrait) �2�L��^W��j�XXMׄ�7O�j�Uk�J��0�,�(�$�� kjih9876��2�.��&��=5��/�+�'�#�� g@?>3210��EDCB�1�-�)�%��</�A�� ' # Meta JSON brut { "protocol_emulated": true, "emulator_response": "15030300020228", "emulator_response_len": 7, "bytes_in": 517, "payload_entropy": 3.4075390991442718, "port_category": "registered", "org": "FASTNET DATA INC", "service": "docker-tls", "app_proto": "docker-tls", "asn": 8796, "country": "SC", "dst_port": 2376, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "71fbf70477a66316649ee1707ff12bdc56b7b492", "event_fingerprint": "2934eaa6e03002fa8b30d0603e83341e6028eb9b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0554", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "Minecraft varint handshake", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0554", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "docker-tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "25e52dbf4b2540dbbe494659568e1ec9", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2376, "service": "docker-tls", "service_name": "docker-tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffdL\ufffd\ufffd\u0006^W\u0018\ufffd\ufffd\u0012\ufffdj\ufffdX\u001cXM\u05c4\ufffd7O\ufffdj\ufffdUk\ufffdJ\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffdL\ufffd\ufffd\u0006^W\u0018\ufffd\ufffd\u0012\ufffdj\ufffdX\u001cXM\u05c4\ufffd7O\ufffdj\ufffdUk\ufffdJ\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000g\u0000@\u0000?\u0000>\u00003\u00002\u00001\u00000\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000E\u0000D\u0000C\u0000B\ufffd1\ufffd-\ufffd)\ufffd%\ufffd\u000e\ufffd\u0004\u0000\ufffd\u0000<\u0000\/\u0000\ufffd\u0000A\ufffd\u0012\ufffd\b\u0000\u0016\u0000\u0013\u0000\u0010\u0000\r\ufffd\r\ufffd\u0003\u0000\n\u0000\u0007\ufffd\u0011\ufffd\u0007\ufffd\f\ufffd\u0002\u0000\u0005\u0000\u0004\u0000\ufffd\u0001\u0000\u0001'\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\n\u0000\b\u0000\u0017\u0000\u0019\u0000\u0018\u0000\u0016\u0000#\u0000\u0000\u0000\r\u0000 \u0000\u001e\u0006\u0001", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffdL\ufffd\ufffd\u0006^W\u0018\ufffd\ufffd\u0012\ufffdj\ufffdX\u001cXM\u05c4\ufffd7O\ufffdj\ufffdUk\ufffdJ\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "04a3cd30fb8faffc2802c03f8cc0fe27580d2d62", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffdL\ufffd\ufffd\u0006^W\u0018\ufffd\ufffd\u0012\ufffdj\ufffdX\u001cXM\u05c4\ufffd7O\ufffdj\ufffdUk\ufffdJ\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "evidence_snippet": "\ufffd2\ufffdL\ufffd\ufffd^W\ufffd\ufffd\ufffdj\ufffdXXM\u05c4\ufffd7O\ufffdj\ufffdUk\ufffdJ\ufffd\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdkjih9876\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\ufffd\ufffd=5\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\ufffd\t\ufffd\ufffd\ufffd", "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER TLS \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker-tls", "service_label_fr": "DOCKER TLS", "dst_port": 2376, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-docker-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffdL\ufffd\ufffd\u0006^W\u0018\ufffd\ufffd\u0012\ufffdj\ufffdX\u001cXM\u05c4\ufffd7O\ufffdj\ufffdUk\ufffdJ\ufffd\u0000\u0000\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000k\u0000j\u0000i\u0000h\u00009\u00008\u00007\u00006\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd2\ufffd.\ufffd\ufffd&\ufffd\u000f\ufffd\u0005\u0000\ufffd\u0000=\u00005\u0000\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\u0013\ufffd\t\u0000\ufffd\u0000\ufffd\u0000\ufffd", "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd2\ufffdL\ufffd\ufffd^W\ufffd\ufffd\ufffdj\ufffdXXM\u05c4\ufffd7O\ufffdj\ufffdUk\ufffdJ\ufffd\ufffd\ufffd0\ufffd,\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdkjih9876\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd.\ufffd*\ufffd&\ufffd\ufffd\ufffd=5\ufffd\ufffd\/\ufffd+\ufffd'\ufffd#\ufffd\ufffd\t\ufffd\ufffd\ufffd", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker_tls", "service_banner": "honeypot-docker-tls", "service_os": "linux", "dst_port": "2376" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 14, "port_scan_ports_sample": [ 23, 873, 1433, 2049, 2375, 2376, 3389, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 13, "scan_velocity_ports_per_s": 3.34, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_tls_emulated", "docker_tls_payload", "net_port_scan_fast", "tls_clienthello" ] }
13/06/2026 18:38:36 UTC	TCP	21 · FTP	ftp	Scan de ports port scan syn · via FTP:21 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_bruteforce_burst net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Service FTP Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a", "emulator_response_len": 32, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ftp", "app_proto": "ftp", "asn": 8796, "country": "SC", "dst_port": 21, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1c2e3b4d6bfb5ebd3a4fc0cb9495918eababa190", "event_fingerprint": "9031dd2c4b6735507ef78d847b42e7fda3d480dc", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "ftp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "86741c785ad85d2c2164e0b0d81fa19001b0f3a6", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port scan syn \u00b7 via FTP:21 \u00b7 (reconnaissance)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via FTP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port scan syn \u00b7 via FTP:21 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 15, "port_scan_ports_sample": [ 21, 23, 873, 1433, 2049, 2375, 2376, 3389, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 14, "scan_velocity_ports_per_s": 3.59, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_bruteforce_burst", "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	6443 · K8S API	k8s-api	Scan de ports port scan syn · via K8S API:6443 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur K8S-API WAF — Recommandation Surveiller Tags http_get_probe k8s_api_emulated k8s_api_payload kubernetes_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6443 Chemin / cible — Service K8S API Payload GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75", "emulator_response_len": 165, "bytes_in": 55, "payload_entropy": 4.5038203952248335, "port_category": "registered", "org": "FASTNET DATA INC", "service": "k8s-api", "app_proto": "k8s-api", "asn": 8796, "country": "SC", "dst_port": 6443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e257991cb5200ff10524b3c9f7213057ba0d3047", "event_fingerprint": "1eeecffdeefbfbad05a3604bc614efa2174b97bf", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "k8s-api", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f0bf494803669a89021e5acd1315d539", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6443, "service": "k8s-api", "service_name": "k8s-api", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8ed30e11df9aecf5c7c267f21c7cae8dba574315", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "port": 6443, "service": "k8s-api", "service_label_fr": "K8S API" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)", "target_port_label": "6443 \u00b7 K8S API", "emulator_service": "k8s-api", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "k8s-api", "service_label_fr": "K8S API", "dst_port": 6443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-k8s-api", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "port": 6443, "service": "k8s-api", "service_label_fr": "K8S API" }, "attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "6443 \u00b7 K8S API", "emulator_service": "k8s-api", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "k8s_api", "service_banner": "honeypot-k8s-api", "service_os": "linux", "dst_port": "6443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 16, "port_scan_ports_sample": [ 21, 23, 873, 1433, 2049, 2375, 2376, 3389, 6379, 6443, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 15, "scan_velocity_ports_per_s": 3.85, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "k8s_api_emulated", "k8s_api_payload", "kubernetes_probe", "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	5000 · HTTP	http	Scan de ports port scan syn · via HTTP:5000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_port_scan_fast Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 55, "payload_entropy": 4.5038203952248335, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 5000, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7f211ab7369950d2beac430b060fd944d20c9248", "event_fingerprint": "89f048096fc4888db8855d6a58ccce9e39debd7f", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f0bf494803669a89021e5acd1315d539", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2f5dda584b1c9f07fd2a887d9f39b417a199d26b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 5000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "5000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 17, "port_scan_ports_sample": [ 21, 23, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 8080, 8443, 9200, 10250, 11211 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 16, "scan_velocity_ports_per_s": 3.9, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	3389 · RDP	rdp	Scan de ports port scan syn · via RDP:3389 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RDP WAF — Recommandation Surveiller Tags net_port_scan_fast rdp_cookie rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Payload �4 Pourquoi cette classification : Négociation protocole RDP · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) RDP TPKT header Kafka ApiVersions key ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) �4 Meta JSON brut { "protocol_emulated": true, "emulator_response": "030000130ed00000123400021f080000000000", "emulator_response_len": 19, "bytes_in": 19, "payload_entropy": 2.641120933813016, "port_category": "registered", "org": "FASTNET DATA INC", "service": "rdp", "app_proto": "rdp", "asn": 8796, "country": "SC", "dst_port": 3389, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5ed73cfce7a44a53492629041c496a4037400214", "event_fingerprint": "e363e414733e6c4de1b1bc87369dc66f1f76c868", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0348", "pat-0556", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "Kafka ApiVersions key", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0556", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b6204aaa1d040d920bdb6acca924eba1", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 42 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8b60929df89d94194f22b86575bddde46f51cb3d", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "evidence_snippet": "\ufffd4", "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 100%", "classification_reason_label_fr": "N\u00e9gociation protocole RDP \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RDP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u00124\u0000\u0002\u000f\b\u0000\u0002\u0000\u0000\u0000", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd4", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 17, "port_scan_ports_sample": [ 21, 23, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 8080, 8443, 9200, 10250, 11211 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 17, "scan_velocity_ports_per_s": 4.07, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rdp_cookie", "rdp_emulated" ] }
13/06/2026 18:38:36 UTC	TCP	445 · SMB	smb	Scan de ports port scan syn · via SMB:445 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur SMB WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast smb_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 445 Chemin / cible — Service SMB Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "smb", "app_proto": "smb", "asn": 8796, "country": "SC", "dst_port": 445, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "96665521d70583a97d746c1fa2f6b4da6e027b9b", "event_fingerprint": "28ecc987eb914c8ed9fc92ead8a82a75ca582ae2", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "smb", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 445, "service": "smb", "service_name": "smb", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af8c0668a2bd1f95092bf662f2b36fd5bc842133", "protocol_details": { "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "port scan syn \u00b7 via SMB:445 \u00b7 (reconnaissance)", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SMB \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "smb", "service_label_fr": "SMB", "dst_port": 445, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-smb", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "port scan syn \u00b7 via SMB:445 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "smb", "service_banner": "honeypot-smb", "service_os": "linux", "dst_port": "445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 18, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 8080, 8443, 9200, 10250 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 18, "scan_velocity_ports_per_s": 4.27, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "smb_emulated" ] }
13/06/2026 18:38:36 UTC	TCP	9000 · HTTP	http	Scan de ports port scan syn · via HTTP:9000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua net_port_scan_fast Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 55, "payload_entropy": 4.5038203952248335, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 9000, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "79c9e98c4c27e0b950e18ec690d012ad5320bb54", "event_fingerprint": "23dd8620e82dd7d29b08cc2b43d4905facc7c62e", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f0bf494803669a89021e5acd1315d539", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b9ff06348a58871af057ab6650740f350ee036a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 9000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)", "target_port_label": "9000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 9000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "9000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 19, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 8080, 8443, 9000, 9200 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 19, "scan_velocity_ports_per_s": 4.5, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua", "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	2049 · NFS	nfs	Scan de ports port scan syn · via NFS:2049 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur NFS WAF — Recommandation Surveiller Tags net_port_scan_fast nfs_emulated nfs_mount nfs_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2049 Chemin / cible — Service NFS Payload (�� Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) RDP TPKT header ET H.323 setup NFS RPC mount Mumble ping Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) (�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "800000290000000000000000", "emulator_response_len": 12, "bytes_in": 40, "payload_entropy": 1.1103029464166383, "port_category": "registered", "org": "FASTNET DATA INC", "service": "nfs", "app_proto": "nfs", "asn": 8796, "country": "SC", "dst_port": 2049, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "579396ac80141cc356e24764f2908b0158e9edc6", "event_fingerprint": "406f1fb049fa29b057884fc3ea6c98702c6088ca", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0532", "pat-0768", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "NFS RPC mount", "Mumble ping", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0532", "pat-0768", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "nfs", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ddea4e3d761e9c205132ef111fbc9454", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2049, "service": "nfs", "service_name": "nfs", "risk_score": 42 }, "payload_preview": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d43dffafa2bbf9b57cdb25e5dad2160e3ede6754", "protocol_details": { "payload_preview": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "evidence_snippet": "(\ufffd\ufffd", "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NFS \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 10, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "nfs", "service_label_fr": "NFS", "dst_port": 2049, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-nfs", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "evidence_snippet": "(\ufffd\ufffd", "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "nfs", "service_banner": "honeypot-nfs", "service_os": "linux", "dst_port": "2049" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 19, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 8080, 8443, 9000, 9200 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 19, "scan_velocity_ports_per_s": 4.46, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "nfs_emulated", "nfs_mount", "nfs_payload", "nfs_probe" ] }
13/06/2026 18:38:36 UTC	TCP	8001 · HTTP ALT 8001	http-alt-8001	Scan de ports port scan syn · via HTTP ALT 8001:8001 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP-ALT-8001 WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8001 Chemin / cible — Service HTTP ALT 8001 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http-alt-8001", "app_proto": "http-alt-8001", "asn": 8796, "country": "SC", "dst_port": 8001, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c5e87dc6e5c16ff4835256ea9983e0a3ac15af77", "event_fingerprint": "a7663b25eee412a43bf0523e5c9c4eca004bd0ac", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http-alt-8001", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8001, "service": "http-alt-8001", "service_name": "http-alt-8001", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3972144e91f62dfa1c95264ff05ce7d9ca0ca98a", "protocol_details": { "port": 8001, "service": "http-alt-8001", "service_label_fr": "HTTP ALT 8001" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8001:8001 \u00b7 (reconnaissance)", "target_port_label": "8001 \u00b7 HTTP ALT 8001", "emulator_service": "http-alt-8001", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8001 \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http-alt-8001", "service_label_fr": "HTTP ALT 8001", "dst_port": 8001, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8001", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8001, "service": "http-alt-8001", "service_label_fr": "HTTP ALT 8001" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8001:8001 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8001 \u00b7 HTTP ALT 8001", "emulator_service": "http-alt-8001", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8001", "service_banner": "honeypot-http-alt-8001", "service_os": "linux", "dst_port": "8001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 20, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 8001, 8080, 8443, 9000 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 20, "scan_velocity_ports_per_s": 4.6, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	8082 · HTTP ALT 8082	http-alt-8082	Scan de ports port scan syn · via HTTP ALT 8082:8082 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP-ALT-8082 WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8082 Chemin / cible — Service HTTP ALT 8082 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http-alt-8082", "app_proto": "http-alt-8082", "asn": 8796, "country": "SC", "dst_port": 8082, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a6f984ec056a43a9930866c96db3b3702488c652", "event_fingerprint": "754fe1c1fd27dff7b9653c1ba3c9f4252e86ae83", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http-alt-8082", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8082, "service": "http-alt-8082", "service_name": "http-alt-8082", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "334f348ae62f55a35b64bafe573c1fe6d3e4d0a3", "protocol_details": { "port": 8082, "service": "http-alt-8082", "service_label_fr": "HTTP ALT 8082" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8082:8082 \u00b7 (reconnaissance)", "target_port_label": "8082 \u00b7 HTTP ALT 8082", "emulator_service": "http-alt-8082", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8082 \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http-alt-8082", "service_label_fr": "HTTP ALT 8082", "dst_port": 8082, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8082", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8082, "service": "http-alt-8082", "service_label_fr": "HTTP ALT 8082" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8082:8082 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8082 \u00b7 HTTP ALT 8082", "emulator_service": "http-alt-8082", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8082", "service_banner": "honeypot-http-alt-8082", "service_os": "linux", "dst_port": "8082" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 21, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 8001, 8080, 8082, 8443 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 21, "scan_velocity_ports_per_s": 4.79, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	7001 · WEBLOGIC	weblogic	Scan de ports port scan syn · via WEBLOGIC:7001 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_port_scan_fast weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "weblogic", "app_proto": "weblogic", "asn": 8796, "country": "SC", "dst_port": 7001, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3fcef425cf6d5e04af560de16c42631b27272a8b", "event_fingerprint": "6f7c2121a7e056fb57bd2523bd43bf2060a47b5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "07acb5eae08360e51f20e03b427e156a44198252", "protocol_details": { "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "port scan syn \u00b7 via WEBLOGIC:7001 \u00b7 (reconnaissance)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via WEBLOGIC \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "port scan syn \u00b7 via WEBLOGIC:7001 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 22, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 7001, 8001, 8080, 8082 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 22, "scan_velocity_ports_per_s": 4.97, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "weblogic_emulated" ] }
13/06/2026 18:38:36 UTC	TCP	8000 · SAP ICM	sap-icm	Scan de ports port scan syn · via SAP ICM:8000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags http_get_probe net_port_scan_fast sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Payload GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 55, "payload_entropy": 4.5038203952248335, "port_category": "registered", "org": "FASTNET DATA INC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 8796, "country": "SC", "dst_port": 8000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bb85ce655bbd3b0e506808e14ae69d2961de6e47", "event_fingerprint": "35f03245cfcefbc377b60a7eaa4e05d4006fb65d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f0bf494803669a89021e5acd1315d539", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af2b21ed083f6655817d1d1a72d4c637000806c2", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via SAP ICM:8000 \u00b7 (reconnaissance)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SAP ICM \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "port scan syn \u00b7 via SAP ICM:8000 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 23, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 2049, 2375, 2376, 3389, 5000, 6379, 6443, 7001, 8000, 8001, 8080 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 23, "scan_velocity_ports_per_s": 5.1, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_port_scan_fast", "sap_icm_emulated", "sap_icm_payload" ] }
13/06/2026 18:38:36 UTC	TCP	3306 · MYSQL	mysql	Scan de ports port scan syn · via MYSQL:3306 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MYSQL WAF — Recommandation Surveiller Tags mysql_emulated mysql_handshake net_bruteforce_burst net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3306 Chemin / cible — Service MYSQL Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mysql", "app_proto": "mysql", "asn": 8796, "country": "SC", "dst_port": 3306, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b1020e21b3d9f109d6025c5f30f49cae79775d74", "event_fingerprint": "fc636b2a9fe65cd127101ef17af779a5183b0a0c", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mysql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3306, "service": "mysql", "service_name": "mysql", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed24b1ab4b75c6a3507bce9a4e30f5538119e65f", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MYSQL \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mysql", "service_label_fr": "MYSQL", "dst_port": 3306, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "8.0.32-MySQL", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mysql", "service_banner": "8.0.32-MySQL", "service_os": "linux", "dst_port": "3306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 37, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 6379, 6443 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 36, "scan_velocity_ports_per_s": 10.15, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mysql_emulated", "mysql_handshake", "net_bruteforce_burst", "net_port_scan_fast" ] }
13/06/2026 18:38:36 UTC	TCP	5900 · VNC	vnc	Scan de ports port scan syn · via VNC:5900 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VNC WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast vnc_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5900 Chemin / cible — Service VNC Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "524642203030332e3030380a", "emulator_response_len": 12, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "vnc", "app_proto": "vnc", "asn": 8796, "country": "SC", "dst_port": 5900, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "63e878046ac5952ae8d7e88266150b3c968f3b2b", "event_fingerprint": "ea0da68d73985439001a72e01b1268bfc3244e18", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "vnc", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5900, "service": "vnc", "service_name": "vnc", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7511397b243bd63f8296f0117f1b714ea2e0221e", "protocol_details": { "port": 5900, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5900 \u00b7 (reconnaissance)", "target_port_label": "5900 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VNC \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vnc", "service_label_fr": "VNC", "dst_port": 5900, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vnc", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5900, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5900 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5900 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vnc", "service_banner": "honeypot-vnc", "service_os": "linux", "dst_port": "5900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 38, "port_scan_ports_sample": [ 21, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 37, "scan_velocity_ports_per_s": 10.42, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "vnc_emulated" ] }
13/06/2026 18:38:36 UTC	TCP	22 · SSH	ssh	Scan de ports port scan syn · via SSH:22 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur SSH WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast ssh_banner_grab ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "SC", "dst_port": 22, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a9b517824c94778e6748155f74784f3a93add744", "event_fingerprint": "b4929bf32779aefad610d20ae581619a267ba9f6", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87e0ca97b7bdc4227f7650f13d3e74f6532996ff", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 39, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 38, "scan_velocity_ports_per_s": 10.68, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "ssh_banner_grab", "ssh_emulated" ] }
13/06/2026 18:38:36 UTC	TCP	873 · RSYNC	rsync	Scan de ports port scan syn · via RSYNC:873 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RSYNC WAF — Recommandation Surveiller Tags net_port_scan_fast rsync_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 873 Chemin / cible — Service RSYNC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "405253594e43443a2033312e3020686f6e6579706f74207273796e630a405253594e43443a2033312e3020686f6e6579706f74206d6f64756c65730a", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "rsync", "app_proto": "rsync", "asn": 8796, "country": "SC", "dst_port": 873, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "2b9924e4ee70903ed67db5f76eb0892ba7020d7c", "event_fingerprint": "946b05c81089bfc0460f7ef64cf5c3f3734227ed", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rsync", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 873, "service": "rsync", "service_name": "rsync", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce662a52958afa5105b86420b22ca8699c87383b", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "port scan syn \u00b7 via RSYNC:873 \u00b7 (reconnaissance)", "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RSYNC \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rsync", "service_label_fr": "RSYNC", "dst_port": 873, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rsync", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "port scan syn \u00b7 via RSYNC:873 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rsync", "service_banner": "honeypot-rsync", "service_os": "linux", "dst_port": "873" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 39, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 39, "scan_velocity_ports_per_s": 10.47, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rsync_emulated" ] }
13/06/2026 18:38:36 UTC	TCP	23 · Telnet	telnet	Scan de ports port scan syn · via Telnet:23 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Service Telnet Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "telnet", "app_proto": "telnet", "asn": 8796, "country": "SC", "dst_port": 23, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "48d8b4c7f2062b33e6f848537fa0c8db6498193d", "event_fingerprint": "b01c5d414ece661f92cba2c282935e85d119d5b1", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "telnet", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7dbc040b9cb1a53a382d952cdc79ad2227ec11e", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via Telnet \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 39, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 39, "scan_velocity_ports_per_s": 9.99, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "telnet_emulated" ] }
13/06/2026 18:38:34 UTC	TCP	23 · Telnet	telnet	Scan de ports port scan syn · via Telnet:23 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_telnet_probe telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Service Telnet Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "telnet", "app_proto": "telnet", "asn": 8796, "country": "SC", "dst_port": 23, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883", "event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "telnet", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "be2c0985c6ebb191ce2c60e0e8812b6f5c84cf28", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via Telnet \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 23, 873, 2049, 3389 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 0.9, "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_telnet_probe", "telnet_emulated" ] }
13/06/2026 18:38:32 UTC	TCP	2049 · NFS	nfs	Scan de ports port scan syn · via NFS:2049 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur NFS WAF — Recommandation Surveiller Tags net_nfs_probe nfs_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2049 Chemin / cible — Service NFS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "nfs", "app_proto": "nfs", "asn": 8796, "country": "SC", "dst_port": 2049, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "fb1fe4a93d6b75d8d59c7e61a7ce522f5ba075ca", "event_fingerprint": "923118becffb962b98707ace1a35bf197f6f487b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "nfs", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2049, "service": "nfs", "service_name": "nfs", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8bb9e31d0c256b9a8046d136f35383eaac5d4131", "protocol_details": { "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NFS \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "nfs", "service_label_fr": "NFS", "dst_port": 2049, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-nfs", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "nfs", "service_banner": "honeypot-nfs", "service_os": "linux", "dst_port": "2049" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 0.89, "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_nfs_probe", "nfs_emulated" ] }

45.207.205.45

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence