Détails IP 46.62.193.48

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 30/05/2026 10:37 UTC

Dernière observation 17/06/2026 02:59 UTC

Événements (période) 98

MITRE ATT&CK principal TA0007 105 occurrences

Activité suspecte · risque 42/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_6379_tcp » (signaux protocolaires) · confiance 55%

Confiance 55 % — Score WAF 8

Comparaison ASN / FAI

ASN 24940 · 46.62.128.0/17 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 98 événements sur la période pour cette IP.

188.245.53.16 Sonde SSH 17/06/2026 01:36 UTC
46.225.23.118 Sonde SSH 17/06/2026 00:49 UTC
95.216.72.235 Sonde port 3389/TCP 15/06/2026 19:31 UTC
162.55.237.115 Sonde port 22/TCP 13/06/2026 18:33 UTC
65.109.227.71 Sonde port 08/06/2026 11:27 UTC
195.201.41.65 Sonde RDP 08/06/2026 09:35 UTC
116.203.138.135 Sonde SSH 08/06/2026 06:07 UTC
37.27.244.229 Sonde VNC 08/06/2026 03:32 UTC

IPs apparentées

Même FAI Hetzner Online GmbH — corrélation indicative.

188.245.53.16 Sonde SSH
46.225.23.118 Sonde SSH
95.216.72.235 Sonde port 3389/TCP
162.55.237.115 Sonde port 22/TCP
65.109.227.71 Sonde port

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

ELASTICSEARCH TCP 92 REDIS TCP 6

ELASTICSEARCH

REDIS

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

98 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 03:18:17 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via ELASTICSEARCH \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "elasticsearch", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 03:17:49 UTC	TCP	6379 · REDIS	redis	Sonde port 6379/TCP port 6379 tcp · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Commande Redis : *2 Émulateur REDIS WAF — Recommandation Surveiller Tags mongodb_hello_probe net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Preuve honeypot — Sonde port 6379/TCP Connexion détectée sur le port 6379 (TCP) du capteur simulé. Service REDIS Redis Commande Redis : 2 Payload 2 $5 HELLO $1 3 Pourquoi cette classification : Type « port_6379_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 2 $5 HELLO $1 3 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 22, "payload_entropy": 3.2221915755066775, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "redis", "app_proto": "redis", "asn": 24940, "country": "FI", "dst_port": 6379, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e20d40873993cd1d89a8c4597ba770a2e4f089b6", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "redis_probe", "service_name": "redis", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "52a9c317679b3b1386560a742f4fdcda", "path_pattern_hash": "42eb67f6877c6439dbde87dd6ec1f324" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "evidence": { "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b7583c9cc7e3a78625afd476cd341658d119173f", "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_redis_probe", "redis_emulated" ], "asn_dc_heuristic": true }
17/06/2026 02:59:12 UTC	TCP	6379 · REDIS	redis	Sonde port 6379/TCP port 6379 tcp · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Commande Redis : *2 Émulateur REDIS WAF — Recommandation Surveiller Tags mongodb_hello_probe net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Preuve honeypot — Sonde port 6379/TCP Connexion détectée sur le port 6379 (TCP) du capteur simulé. Service REDIS Redis Commande Redis : 2 Payload 2 $5 HELLO $1 3 Pourquoi cette classification : Type « port_6379_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 2 $5 HELLO $1 3 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 22, "payload_entropy": 3.2221915755066775, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "redis", "app_proto": "redis", "asn": 24940, "country": "FI", "dst_port": 6379, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e20d40873993cd1d89a8c4597ba770a2e4f089b6", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "redis_probe", "service_name": "redis", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "52a9c317679b3b1386560a742f4fdcda", "path_pattern_hash": "42eb67f6877c6439dbde87dd6ec1f324" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "evidence": { "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b7583c9cc7e3a78625afd476cd341658d119173f", "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_redis_probe", "redis_emulated" ], "asn_dc_heuristic": true }
17/06/2026 02:48:24 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 02:32:01 UTC	TCP	6379 · REDIS	redis	Sonde port 6379/TCP port 6379 tcp · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Commande Redis : *2 Émulateur REDIS WAF — Recommandation Surveiller Tags mongodb_hello_probe net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Preuve honeypot — Sonde port 6379/TCP Connexion détectée sur le port 6379 (TCP) du capteur simulé. Service REDIS Redis Commande Redis : 2 Payload 2 $5 HELLO $1 3 Pourquoi cette classification : Type « port_6379_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 2 $5 HELLO $1 3 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 22, "payload_entropy": 3.2221915755066775, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "redis", "app_proto": "redis", "asn": 24940, "country": "FI", "dst_port": 6379, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e20d40873993cd1d89a8c4597ba770a2e4f089b6", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "redis_probe", "service_name": "redis", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "52a9c317679b3b1386560a742f4fdcda", "path_pattern_hash": "42eb67f6877c6439dbde87dd6ec1f324" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "evidence": { "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b7583c9cc7e3a78625afd476cd341658d119173f", "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_redis_probe", "redis_emulated" ], "asn_dc_heuristic": true }
17/06/2026 02:25:37 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 02:05:40 UTC	TCP	6379 · REDIS	redis	Sonde port 6379/TCP port 6379 tcp · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Commande Redis : *2 Émulateur REDIS WAF — Recommandation Surveiller Tags mongodb_hello_probe net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Preuve honeypot — Sonde port 6379/TCP Connexion détectée sur le port 6379 (TCP) du capteur simulé. Service REDIS Redis Commande Redis : 2 Payload 2 $5 HELLO $1 3 Pourquoi cette classification : Type « port_6379_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 2 $5 HELLO $1 3 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 22, "payload_entropy": 3.2221915755066775, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "redis", "app_proto": "redis", "asn": 24940, "country": "FI", "dst_port": 6379, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e20d40873993cd1d89a8c4597ba770a2e4f089b6", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "redis_probe", "service_name": "redis", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "52a9c317679b3b1386560a742f4fdcda", "path_pattern_hash": "42eb67f6877c6439dbde87dd6ec1f324" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "evidence": { "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b7583c9cc7e3a78625afd476cd341658d119173f", "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_redis_probe", "redis_emulated" ], "asn_dc_heuristic": true }
17/06/2026 01:39:43 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via ELASTICSEARCH \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "elasticsearch", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 01:39:29 UTC	TCP	6379 · REDIS	redis	Sonde port 6379/TCP port 6379 tcp · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Commande Redis : *2 Émulateur REDIS WAF — Recommandation Surveiller Tags mongodb_hello_probe net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Preuve honeypot — Sonde port 6379/TCP Connexion détectée sur le port 6379 (TCP) du capteur simulé. Service REDIS Redis Commande Redis : 2 Payload 2 $5 HELLO $1 3 Pourquoi cette classification : Type « port_6379_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 2 $5 HELLO $1 3 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 22, "payload_entropy": 3.2221915755066775, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "redis", "app_proto": "redis", "asn": 24940, "country": "FI", "dst_port": 6379, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e20d40873993cd1d89a8c4597ba770a2e4f089b6", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "named_classification_skipped": true, "named_candidate": "redis_probe", "service_name": "redis", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "52a9c317679b3b1386560a742f4fdcda", "path_pattern_hash": "42eb67f6877c6439dbde87dd6ec1f324" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "evidence": { "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b7583c9cc7e3a78625afd476cd341658d119173f", "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_redis_probe", "redis_emulated" ], "asn_dc_heuristic": true }
17/06/2026 01:17:12 UTC	TCP	6379 · REDIS	redis	Sonde port 6379/TCP port 6379 tcp · via REDIS:6379 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Commande Redis : *2 Émulateur REDIS WAF — Recommandation Surveiller Tags mongodb_hello_probe net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Preuve honeypot — Sonde port 6379/TCP Connexion détectée sur le port 6379 (TCP) du capteur simulé. Service REDIS Redis Commande Redis : 2 Payload 2 $5 HELLO $1 3 Pourquoi cette classification : Type « port_6379_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 2 $5 HELLO $1 3 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2d4e4f415554482041757468656e7469636174696f6e2072657175697265642e0d0a", "emulator_response_len": 34, "bytes_in": 22, "payload_entropy": 3.2221915755066775, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "redis", "app_proto": "redis", "asn": 24940, "country": "FI", "dst_port": 6379, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e20d40873993cd1d89a8c4597ba770a2e4f089b6", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "redis_probe", "service_name": "redis", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "52a9c317679b3b1386560a742f4fdcda", "path_pattern_hash": "42eb67f6877c6439dbde87dd6ec1f324" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "evidence": { "request_sample": "2\r\n$5\r\nHELLO\r\n$1\r\n3\r\n", "payload_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b7583c9cc7e3a78625afd476cd341658d119173f", "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6379_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "redis_command_fr": "Commande Redis : 2", "payload_preview": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port 6379 tcp \u00b7 via REDIS:6379 \u00b7 (sonde \/ probe)", "evidence_snippet": "2\r\n$5\r\nHELLO\r\n$1\r\n3", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "elasticsearch", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_redis_probe", "redis_emulated" ], "asn_dc_heuristic": true }
17/06/2026 01:15:03 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 01:10:38 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 00:57:23 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 00:39:23 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 00:38:35 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 00:20:44 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 00:13:52 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
17/06/2026 00:04:04 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 23:45:52 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Sonde Elasticsearch elasticsearch probe · via ELASTICSEARCH:9200 · (sonde / probe)	Élevée	Faible · 22
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Sonde Elasticsearch (REST) Émulateur ELASTICSEARCH WAF — Recommandation Surveiller Tags elasticsearch_emulated net_elasticsearch_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9200 Chemin / cible — Service ELASTICSEARCH Pourquoi cette classification : Type « elasticsearch_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 22 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 22, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6dfec99b98d53481ee9b4cf1a1a54e12b0341ca9", "event_fingerprint": "64ce65412bf1b81fa23464b76dd480979155e3d0", "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 22 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "9dbf5366f59d9174076d704198d3d3fd" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 22 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "191a0c390e0c8bb3045189c33e41a4f22e6ddf86", "protocol_details": { "elasticsearch_probe_fr": "Sonde Elasticsearch (REST)", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "elasticsearch probe \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe)", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 22 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 22, "risk_label": "Faible", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "elasticsearch_probe_fr": "Sonde Elasticsearch (REST)", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "elasticsearch probe \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "elasticsearch_emulated", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 23:40:05 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 23:21:08 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 23:15:58 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 22:52:33 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 22:39:02 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 22:32:43 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 22:26:08 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 22:00:56 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 21:39:44 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 21:20:40 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 20:36:19 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 20:27:45 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 20:22:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:54:10 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:52:07 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:47:06 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:44:59 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:42:27 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:39:07 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:21:35 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:16:31 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:09:59 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 19:06:07 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 18:38:21 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 18:34:29 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 18:12:21 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 17:57:39 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 17:54:27 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 17:50:58 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 17:26:40 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }
16/06/2026 17:05:20 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan vulnérabilités scanner vuln · via ELASTICSEARCH:9200 · (sonde / probe) · → /_cat/indices	Élevée	Moyen · 58
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /_cat/indices Requête Elasticsearch : /_cat/indices?format=json&h=index,docs.count,st… UA python-httpx/0.27.0 Émulateur ELASTICSEARCH WAF 19 Recommandation Investiguer Tags 950325:rce-0 950468:nosqli-3 950607:elastic-cat anomaly:high-entropy-query Cible HTTP GET /_cat/indices TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /_cat/indices Service ELASTICSEARCH Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 58 Confiance : Confiance 95 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0596 pat-0439 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES cat indices Sigma httpx tool UA httpx Ligne de requête `GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1` User-Agent python-httpx/0.27.0 Règles WAF rce-0 nosqli-3 elastic-cat Payload (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, Requête brute (extrait) GET /_cat/indices?format=json&h=index,docs.count,store.size HTTP/1.1 Host: 62.3.50.33:9200 Accept: / Accept-Encoding: gzip, deflate Connection: keep-alive User-Agent: python-httpx/0.27.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 2, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "9ae95823669620d3fd1423880dcae24122b4dd0d", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "bc93c585c88f80db4a0036a113f5230288405028", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.212188774989978, "port_category": "registered", "org": "Hetzner Online GmbH", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 24940, "country": "FI", "dst_port": 9200, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 50, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6a0cd037520ee1c5cd3cc0089e94e10247966244", "event_fingerprint": "b9399e0b68d02746f81e43f23ff775ad6b490474", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 106, "precision_signals": [ "pat-0596", "pat-0439" ], "kb_rule_ids": [ "pat-0596", "pat-0439" ], "matched_patterns": [ "pat-0342", "pat-0596", "pat-0439" ], "matched_pattern_names": [ "ES cat indices", "Sigma httpx tool", "UA httpx" ], "pattern_ids": [ "pat-0342", "pat-0596", "pat-0439" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "elasticsearch", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FI", "asn": 24940, "org": "Hetzner Online GmbH", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58e2be1e1b5b3a305ddae7591cc79c58", "payload_hash": "09345fdcec4c5b2b12af63af0e3b42a5", "path_pattern_hash": "a5425e010c1f4e25ebcaced2b0353923" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 58 }, "payload_preview": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "evidence": { "method": "GET", "path": "\/_cat\/indices", "query_string": "format=json&h=index,docs.count,store.size", "user_agent": "python-httpx\/0.27.0", "waf_tags": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat" ], "waf_rule_names": [ "rce-0", "nosqli-3", "elastic-cat" ], "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "request_sample": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nUser-Agent: python-httpx\/0.27.0\r\n\r\n", "payload_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf5ebe88046f3820c5e56a4ef11d2c1bd60ae63a", "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 95 % \u2014 via ELASTICSEARCH", "confidence_pct": 95, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 40, "protocol": 50, "novelty": 30, "risk_score": 58 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 58, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "pat-0596", "pat-0439" ], "tags_summary_labels_fr": [ "pat-0596", "pat-0439" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/_cat\/indices", "request_line": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1", "http_user_agent": "python-httpx\/0.27.0", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/_cat\/indices?format=json&h=index,docs.count,st\u2026", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "scanner vuln \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_cat\/indices", "evidence_snippet": "GET \/_cat\/indices?format=json&h=index,docs.count,store.size HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nAccept: \/\r\nAccept-Encoding: gzip,", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950325:rce-0", "950468:nosqli-3", "950607:elastic-cat", "anomaly:high-entropy-query", "http_probe_elastic", "net_elasticsearch_probe" ], "asn_dc_heuristic": true }

46.62.193.48

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence