|
|
TCP |
23896 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:23896 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
23896
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
69%
Corrélation +10
Risque capteur
Moyen
· 58
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:23896
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:23896 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "4aa9989d07f5b79f906f97bc029e9ebe53d13125",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.1834266028895755,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 23896,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 58,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "7f9945402992ad5d1db468752f7694997c4223da",
"event_fingerprint": "aaf00ada5927e330ea9296f6e313a7d2aace6633",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 58,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "ee588f08fceb7eb9560aa4e5bd6903f8",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 23896,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:23896\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:23896\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:23896\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:23896\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:23896\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "15b031de9e3df29a17ec42f5184fe182513e2098",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 23896,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:23896\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:23896 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "23896 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 58,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 23896,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 23896,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:23896 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:23896\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "23896 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "23896"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
18472 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:18472 · (tentative d'exploit)
|
Élevée
|
Moyen · 59
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
18472
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
69%
Corrélation +10
Risque capteur
Moyen
· 59
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:18472
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:18472 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "cdefaa95c0689d3cd2ba63893e2a57dfe5917873",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.227540320151742,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 18472,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.1,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 59,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "9fa98f275e113f841a57553d66115f978bc6abc3",
"event_fingerprint": "fc8afaced96ef29a7f1d94fad83f2c6a947cce88",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 59,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "c72324cf2acc16e41dd3723fc1c7b5b6",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 18472,
"service": "http",
"service_name": "http",
"risk_score": 59
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b0bd2749b50965a95c4d6aa020cb1c1f9d792f33",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 18472,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:18472 \u00b7 (tentative d'exploit)",
"target_port_label": "18472 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 59,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 59,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 18472,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 18472,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:18472 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18472\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "18472 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "18472"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
12806 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:12806 · (tentative d'exploit) · → /favicon.ico
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12806
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 55
Confiance : Confiance 50 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:12806
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:12806 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "12aa312f8b1cc11b96e2560e42ad284079866d9e",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.187229908116527,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 12806,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "a0af6d07ac8f80016031913fc7037b98aeadd45b",
"event_fingerprint": "3d0baada912a9dd22ffe0ee2d25ebd87c585ac29",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.5,
"classification_confidence": 0.5,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 55
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "a622bbfd41243e2ccf4939b01c6b1664",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 12806,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9a259c18f0ba7fd2a6a117509910db76b39120cb",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 12806,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"attack_vector": "lfi path traversal \u00b7 via HTTP:12806 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "12806 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 55
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 12806,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 12806,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:12806 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12806\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"target_port_label": "12806 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12806"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
27405 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:27405 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 54
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
27405
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 54
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:27405
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:27405 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "6d73d2cddfe1577cbb93bafccf9589491699ea95",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.1794743123023315,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 27405,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 54,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "ba45b726b8cd2f660ccd0257d32e40bbc2398c11",
"event_fingerprint": "baac7935dab4eacc454c1aa5caef334399cfa6bf",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 54
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "d7fe276115dc2905b7eda59cbfc1b8bd",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 27405,
"service": "http",
"service_name": "http",
"risk_score": 54
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:27405\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:27405\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:27405\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:27405\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:27405\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9442139f4271d9013cb02b7c4decc87527387af0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 27405,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:27405\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:27405 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "27405 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 54
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 54,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 27405,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 27405,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:27405 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:27405\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "27405 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "27405"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
21112 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:21112 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 59
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
21112
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 59
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:21112
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:21112 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "9d5460283a18744d3ff12bc0a2878ec8ea56cea6",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 448,
"payload_entropy": 5.193720755800511,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 21112,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 59,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "ea2956ac0591f9e08480625e0c85ee1f35f3d036",
"event_fingerprint": "61b2a6b91244a8e45791149f4cca0f1bbc8b0378",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 59,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "c3c6e8802d99b94d1794aa487feab26a",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 21112,
"service": "http",
"service_name": "http",
"risk_score": 59
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21112\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21112\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21112\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21112\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21112\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c04938bd86fbc4b4010a06efdde374433bff381d",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 21112,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21112\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"attack_vector": "http smuggling probe \u00b7 via HTTP:21112 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "21112 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 59,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 59,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 21112,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 21112,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:21112 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21112\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"target_port_label": "21112 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "21112"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
20295 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:20295 · (tentative d'exploit)
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20295
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
69%
Corrélation +10
Risque capteur
Moyen
· 58
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:20295
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:20295 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "9ab27a858db8cb4e0d2228bc6523aa89f25c1eec",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.195874946563656,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 20295,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 58,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "23bff7069b99372a0eb3aca71145701f5e495557",
"event_fingerprint": "5ab3e829003e1857b34d539def172b4c3418ef07",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "c9c6cf59b3e00e01e2d5de8c06c4cf7b",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 20295,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20295\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20295\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20295\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20295\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20295\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9f8ae256332e00e343961e816c4ee388025b7163",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 20295,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20295\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:20295 \u00b7 (tentative d'exploit)",
"target_port_label": "20295 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 20295,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 20295,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:20295 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20295\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "20295 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "20295"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
21306 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:21306 · (tentative d'exploit)
|
Élevée
|
Moyen · 61
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
37
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
21306
Chemin / cible
/
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 61
Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
POST / HTTP/1.1
Host: 62.3.50.33:21306
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content-Le
Requête brute (extrait)
POST / HTTP/1.1 Host: 62.3.50.33:21306 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version:
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "99ad96e860ee234ebe729ac0a4be4c49e1a52469",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 445,
"payload_entropy": 5.197322653462195,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 21306,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 61,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "0ad00f3b1ad146d128496cc12f38dda50a2e579a",
"event_fingerprint": "8209c08083f8d83cafc981181a4e180f45e8aa5f",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "34c5b2e559e10ba7a450a0c0941625f8",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 21306,
"service": "http",
"service_name": "http",
"risk_score": 61
},
"payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:21306\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"method": "POST",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "POST \/ HTTP\/1.1",
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:21306\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:21306\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"evidence": {
"method": "POST",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "POST \/ HTTP\/1.1",
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:21306\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:21306\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b9588d4509c8937192f8ce94d409f1cd4dc62ad7",
"protocol_details": {
"http_method": "POST",
"http_path": "\/",
"request_line": "POST \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 21306,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:21306\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"attack_vector": "http smuggling probe \u00b7 via HTTP:21306 \u00b7 (tentative d'exploit)",
"target_port_label": "21306 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 61,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 21306,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "POST",
"http_path": "\/",
"request_line": "POST \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 21306,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:21306 \u00b7 (tentative d'exploit)",
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:21306\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"target_port_label": "21306 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 6 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "21306"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
10421 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:10421 · (tentative d'exploit)
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10421
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 55
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10421
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10421 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "1566f03b31bc54c45c7236adeaffc8fd3e0a19a0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.188145188127183,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 10421,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 55,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "6ebf720db303cf82c702210d2f6184b8cd4b7958",
"event_fingerprint": "eb6772fb98b7bc7efa536edefeabbc4018bb8ac0",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 55
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "9aab0bfbbbe18560c879c86a15f4d8e8",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10421,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10421\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10421\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10421\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10421\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10421\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "20a50141a6b98b764b235c3b865fef7cedb56026",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 10421,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10421\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:10421 \u00b7 (tentative d'exploit)",
"target_port_label": "10421 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 55
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10421,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 10421,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:10421 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10421\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "10421 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10421"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 2,
"behavior_priority": 84
}
|
|
|
TCP |
10749 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:10749 · (tentative d'exploit)
|
Élevée
|
Moyen · 63
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
37
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
10749
Chemin / cible
/
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 63
Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
POST / HTTP/1.1
Host: 62.3.50.33:10749
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content-Le
Requête brute (extrait)
POST / HTTP/1.1 Host: 62.3.50.33:10749 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version:
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "e15f0d57523fd0f49ab6b95d0b8435f83a07d6e4",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 445,
"payload_entropy": 5.2235576468121,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 10749,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 63,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "56e3365339041e8227de3d41d58d2b2b5eeb772f",
"event_fingerprint": "8a7afef40d515896ef430cb1315c4a6ed8f77ece",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 63
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "96fbae5da0cd2a6dd3fb413268d95391",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10749,
"service": "http",
"service_name": "http",
"risk_score": 63
},
"payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:10749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"method": "POST",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "POST \/ HTTP\/1.1",
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:10749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:10749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"evidence": {
"method": "POST",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "POST \/ HTTP\/1.1",
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:10749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:10749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "575119c385dc8b181a231df19dea9bd531d85f00",
"protocol_details": {
"http_method": "POST",
"http_path": "\/",
"request_line": "POST \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 10749,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:10749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"attack_vector": "http smuggling probe \u00b7 via HTTP:10749 \u00b7 (tentative d'exploit)",
"target_port_label": "10749 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 63
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 63,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10749,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/",
"request_line": "POST \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 10749,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:10749 \u00b7 (tentative d'exploit)",
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:10749\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"target_port_label": "10749 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10749"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
29575 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:29575 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 59
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
29575
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 59
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:29575
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:29575 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "fc93ffdd05e9e91286213c95a5fad0a3a40b2e51",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 448,
"payload_entropy": 5.21530035840002,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 29575,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 59,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "8eac648973d4ede4e8359af38371cf1489eff0bb",
"event_fingerprint": "6cd4d241d7c6a526f3dada5e6733b58452977eb8",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 59
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "504ed2c99aee3f112cee7156ee9490bb",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 29575,
"service": "http",
"service_name": "http",
"risk_score": 59
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29575\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29575\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29575\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29575\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29575\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "75c43874ccc5c12e2644a69236d831a7c1262963",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 29575,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29575\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"attack_vector": "http smuggling probe \u00b7 via HTTP:29575 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "29575 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 59
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 59,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 29575,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 29575,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:29575 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29575\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"target_port_label": "29575 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "29575"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
18961 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:18961 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 62
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
18961
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 62
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:18961
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:18961 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "35306f66851b6caa66f31b54933ada49b74168f7",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 448,
"payload_entropy": 5.2171660537112645,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 18961,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 62,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "599baf138e01f9f28a57cae757bab7b38a33cc20",
"event_fingerprint": "e88290a973a962965d782481d0d1e1090ff3d24f",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 62
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "156fdbc7530bae07c2f698a2f11e4827",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 18961,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:18961\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:18961\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:18961\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:18961\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:18961\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8e86d387a57ce952a138824767fdb22e47bd14d7",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 18961,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:18961\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"attack_vector": "http smuggling probe \u00b7 via HTTP:18961 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "18961 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 62
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 18961,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 18961,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:18961 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:18961\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"target_port_label": "18961 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "18961"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
12344 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:12344 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 60
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
12344
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 60
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:12344
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:12344 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "c022ee95183c97dd79d02408f9699b224d921876",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 448,
"payload_entropy": 5.210836072685734,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 12344,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 60,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "fba3dbd6663618cb78348297a39cd128432d79c8",
"event_fingerprint": "e7de8018656a587b8d5fa6072fdef4d0d9de64b0",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 60,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "51afcfbba7f2da997e7dafc928de9183",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 12344,
"service": "http",
"service_name": "http",
"risk_score": 60
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:12344\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:12344\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:12344\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:12344\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:12344\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7f05003667189b761d67af9397c819fe27b9de88",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 12344,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:12344\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"attack_vector": "http smuggling probe \u00b7 via HTTP:12344 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "12344 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 60,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 60,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 12344,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 12344,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:12344 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:12344\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"target_port_label": "12344 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12344"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 7,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
6338 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:6338 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 61
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
6338
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 61
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:6338
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content-
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:6338 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versio
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "846fde8c527c392e545364b86c2a47717fe981e3",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 447,
"payload_entropy": 5.206913499922797,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 6338,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 61,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "44fe01e83e14b2c86f5c3b250d80635c1c429574",
"event_fingerprint": "b057aad73d50b9ef7ecbe6a42b552b3b68cb040e",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "3ce9ae32e1e3c23dbcf6a58cc44c8f71",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 6338,
"service": "http",
"service_name": "http",
"risk_score": 61
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6338\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6338\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6338\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6338\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6338\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "583f10d6ad521aba0334d140832f4b360351dd5e",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 6338,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6338\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"attack_vector": "http smuggling probe \u00b7 via HTTP:6338 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "6338 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 61,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 6338,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 6338,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:6338 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6338\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"target_port_label": "6338 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "6338"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
31649 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:31649 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 64
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
31649
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 64
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:31649
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:31649 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "8ac92f0a50fae8342f81a68d7c760c350f823b9c",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 448,
"payload_entropy": 5.218166904192753,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 31649,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.4,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 64,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "a3d8a3ed79701a355556678cd38a0f0b1b4eebe7",
"event_fingerprint": "c23659c2b98f8209477c8d30ec3a5f1bba406e85",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "0a8480f72a97bd7147cb9cfb32ba9d9a",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 31649,
"service": "http",
"service_name": "http",
"risk_score": 64
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:31649\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:31649\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:31649\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:31649\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:31649\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a52ba19d100b5f40871c4e3cefc50654fdf5a6d1",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 31649,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:31649\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"attack_vector": "http smuggling probe \u00b7 via HTTP:31649 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "31649 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 64,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 31649,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 31649,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:31649 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:31649\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"target_port_label": "31649 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "31649"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 10,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
24604 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:24604 · (tentative d'exploit) · → /favicon.ico
|
Élevée
|
Moyen · 57
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
24604
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50%
Confiance classification
60%
Corrélation +10
Risque capteur
Moyen
· 57
Confiance : Confiance 50 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:24604
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:24604 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "738b8dbab0fa2df6e4a8bd129eebcc4b8dbf5b0d",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.19396024594267,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 24604,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 57,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "25718eac361b6a2cb078e18c15cd4547bd5e722c",
"event_fingerprint": "3b5910d5579bfdfa1f1db5ca72a7750268098984",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.6,
"classification_confidence": 0.6,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "4f9efa84f2edcaf77091d4ee1d333af9",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 24604,
"service": "http",
"service_name": "http",
"risk_score": 57
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:24604\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:24604\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:24604\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:24604\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:24604\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ffe889b524fd1dea0f8b1860c82675a002468fb4",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 24604,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:24604\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"attack_vector": "lfi path traversal \u00b7 via HTTP:24604 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "24604 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 60 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 60,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 57,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 24604,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 24604,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:24604 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:24604\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"target_port_label": "24604 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "24604"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 7,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
27305 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:27305 · (tentative d'exploit)
|
Élevée
|
Moyen · 64
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
37
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
27305
Chemin / cible
/
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 64
Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
POST / HTTP/1.1
Host: 62.3.50.33:27305
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content-Le
Requête brute (extrait)
POST / HTTP/1.1 Host: 62.3.50.33:27305 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version:
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "96d720998948010805deebfbb10e9f0f70d6f00d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 445,
"payload_entropy": 5.205157906086965,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 27305,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.1,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 64,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "65d2c528d978086ce7aa91c5d4015a5bd70f2fbc",
"event_fingerprint": "89375be36ed338b7e34066088ea7825f7b77045c",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "12140e85c386f95a7251313e3299b21c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 27305,
"service": "http",
"service_name": "http",
"risk_score": 64
},
"payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:27305\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"method": "POST",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "POST \/ HTTP\/1.1",
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:27305\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:27305\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"evidence": {
"method": "POST",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "POST \/ HTTP\/1.1",
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:27305\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:27305\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ceae07c67e048de7a8ab22c73ad5abe46c695343",
"protocol_details": {
"http_method": "POST",
"http_path": "\/",
"request_line": "POST \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 27305,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:27305\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"attack_vector": "http smuggling probe \u00b7 via HTTP:27305 \u00b7 (tentative d'exploit)",
"target_port_label": "27305 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 64,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 27305,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "POST",
"http_path": "\/",
"request_line": "POST \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 27305,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:27305 \u00b7 (tentative d'exploit)",
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:27305\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"target_port_label": "27305 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 6 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "27305"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 18,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
22623 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:22623 · (tentative d'exploit)
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
22623
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
69%
Corrélation +10
Risque capteur
Moyen
· 58
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:22623
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:22623 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "3e43d912835530aed94412475b3fd7e92f7e8254",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.181563308657489,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 22623,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 58,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "2f41257aa2613b50b3310c99e316b91bfd6aa012",
"event_fingerprint": "7cb3b80ecd7b7c7ad169ccb08615e866707fcc6d",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "2760dc5f6062208c72af28dec5f6201c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 22623,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22623\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22623\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22623\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22623\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22623\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4011eed9306ebf128cfbc18288accc9b5b79bcf3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 22623,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22623\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:22623 \u00b7 (tentative d'exploit)",
"target_port_label": "22623 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (5.226.140.0\/24)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 22623,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 22623,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:22623 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22623\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "22623 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (5.226.140.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "22623"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "5.226.140.0\/24",
"coordinated_ip_count": 8,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
19296 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:19296 · (tentative d'exploit)
|
Élevée
|
Moyen · 62
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
POST / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
37
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
19296
Chemin / cible
/
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 62
Confiance : Confiance 95 % — Motif catalogue confirmé · 6 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
POST / HTTP/1.1
Host: 62.3.50.33:19296
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content-Le
Requête brute (extrait)
POST / HTTP/1.1 Host: 62.3.50.33:19296 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version:
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "b4472f95ad5ae63bba9e1d2682a18e4441657ff4",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 445,
"payload_entropy": 5.212131845520134,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 19296,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 62,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "53bebc359f5d00881c5eabe68f3984ad574810aa",
"event_fingerprint": "0e99a0de9b0fe881d33f410c307f1ee22910c539",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 62
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "a4be6ee88ed16d47dbc499558b47a9b1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 19296,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19296\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"method": "POST",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "POST \/ HTTP\/1.1",
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19296\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19296\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"evidence": {
"method": "POST",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "POST \/ HTTP\/1.1",
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19296\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version:",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19296\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c9adfe21a650d1da2a7d016b3541bc794da7f6e3",
"protocol_details": {
"http_method": "POST",
"http_path": "\/",
"request_line": "POST \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 19296,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19296\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"attack_vector": "http smuggling probe \u00b7 via HTTP:19296 \u00b7 (tentative d'exploit)",
"target_port_label": "19296 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 62
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 19296,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/",
"request_line": "POST \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 19296,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:19296 \u00b7 (tentative d'exploit)",
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:19296\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Le",
"target_port_label": "19296 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "19296"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
7028 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:7028 · (tentative d'exploit)
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7028
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 58
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:7028
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:7028 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "3ab32a59790723a03288fc8232b8e6d0bc2a2af3",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.206419253236291,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 7028,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 58,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "519da7fbe82cf282925713c5077cce1ba0c79328",
"event_fingerprint": "838283982298b11e442e31fdd274f49210873375",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "fa8d8b7fc047f5ed791e110fd742286c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7028,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7028\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7028\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7028\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7028\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7028\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f5a7529503364e1d0750866e9b96cda3bcba7c68",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 7028,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7028\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:7028 \u00b7 (tentative d'exploit)",
"target_port_label": "7028 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7028,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 7028,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:7028 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7028\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "7028 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7028"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
10428 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:10428 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10428
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 56
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:10428
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:10428 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "5fff4c36430bc89a2674d960bd90a79c472300ac",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.176907689288337,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 10428,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "44365b77d0b65e3a4d56953f1f374ad2c415a717",
"event_fingerprint": "8ee29d66d2d394c06d245e6303a93ba1fd613efc",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 56
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "339d48f940c43cca1f60ea0bffdbc34e",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 10428,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:10428\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:10428\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:10428\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:10428\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:10428\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "61fa7fccc2d380ecaa89a217dd42ecae31b727dd",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 10428,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:10428\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:10428 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "10428 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 56
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10428,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 10428,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:10428 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:10428\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "10428 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10428"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
1256 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:1256 · (tentative d'exploit)
|
Élevée
|
Moyen · 57
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
1256
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 57
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1256
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1256 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "dd77a48616bc865c00450e2151c6872ae7eb3034",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.178934354379854,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 1256,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 57,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "3e77cd11467b4196e1f37f9473ed296ddf24c6a5",
"event_fingerprint": "fbd102578dc192a38cfda537800d2b6666165ad6",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 57
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "9dab5b1e1b55524c3c00593f12f5a748",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1256,
"service": "http",
"service_name": "http",
"risk_score": 57
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "11e3b653900802a85235e3e7b3f89385449cbb23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 1256,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:1256 \u00b7 (tentative d'exploit)",
"target_port_label": "1256 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 57
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 57,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1256,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 1256,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:1256 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1256\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "1256 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1256"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
5563 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:5563 · (tentative d'exploit)
|
Élevée
|
Moyen · 57
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5563
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 57
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5563
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5563 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "1aa58c4e31bb040e5c177466379b5517ecfef994",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.171737172311436,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 5563,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 57,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "2cac8ce9d1804fb1d2b6e6eaad8e5ebaa7ea186e",
"event_fingerprint": "42ccbea1032722ca551fadb54cec743df0238f82",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 57
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "2be55b1e1b50db3ee8618494ecec2235",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5563,
"service": "http",
"service_name": "http",
"risk_score": 57
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5563\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5563\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5563\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5563\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5563\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c26048a35e00f81591ad455490ffc59a29bd45fe",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 5563,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5563\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"attack_vector": "lfi path traversal \u00b7 via HTTP:5563 \u00b7 (tentative d'exploit)",
"target_port_label": "5563 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 57
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 57,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5563,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 5563,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:5563 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5563\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"target_port_label": "5563 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5563"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
7670
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7670
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:7670
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
A
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:7670 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "8c73e581fda280f6b92d26c52b087f48822d6f0e",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 184,
"payload_entropy": 5.184306930534605,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 7670,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "cd3b41c102a49f0f9d68f12a9bd6b69152728c36",
"event_fingerprint": "19f76e7881cfbb88430afddfcdcb0665172c2dea",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "d6317817ac37e7bc725c5ead2c68beee",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 7670,
"service": "http"
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7670\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7670\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7670\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7670\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7670\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "85be05bfa6066a5999dd7411f99f70d9b22ff8aa",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
12671
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12671
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:12671
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:12671 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "294906a1a1ea94c975ee695bd438ad12bf20a513",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.185259486621391,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 12671,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 58,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "de9770a87b4a4ec9ff1cb52d566269b37ca4ae4a",
"event_fingerprint": "504687ce6e38ead29930ac33546fd42d5513104e",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "fa648ff7afe5e0530670df853553085c",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 12671,
"service": "http"
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12671\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12671\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12671\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12671\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12671\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9a6cf261399f534c1a4906d97061765703ae6acf",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
2531
|
http
|
web attack
|
Élevée
|
Moyen · 63
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2531
Chemin / cible
/
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2531
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "fe40b3358c5cb5d76678350414b35a87b9f0c5b8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.171737172311436,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 2531,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 63,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "7e97a5c29f84a6a4c187fc4f94fb17a1494619d4",
"event_fingerprint": "079bb4183271481fb905cae332ba70d4dead546e",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "458a1ac4f9f8305bfd99b691e7b1fe04",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2531,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2531\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"event_signature": "c225c70b768ee65e90d0d18fa98ab2832c02eb7f",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
8512
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
3925
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
26406
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
26406
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "6f91f54b60295ec1a0eea4be7fe6f2c1c85cc6e8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.2002133804841355,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "2745b09da1da316ad34d675b09f573b964c10503",
"event_fingerprint": "0f06d898ba24826ff38bfa8a101968e522907e8e",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
23154
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8387
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8387
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "f64d3480afddf9341fa0453135299d2a7f1bb8d2",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.206419253236291,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "dda154cc8b3bbd28e2e457ef8168a888b118a5f7",
"event_fingerprint": "188d6baa350cf258a50b6627c22336d7f7db75ab",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
21121
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
74
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
889
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
24330
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
24330
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "3c92300ae97fa69d9e1c3946e50b7c276c6c5c0b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.188145188127182,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "40285f20c3c00deabf92e8c5f698100fb07c5482",
"event_fingerprint": "88f9cb4b7e00024bfb1e373c6105ab848b33e090",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
31371
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
14414
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
14414
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "91a0927f14a482f5c2e639264ce73ed0f9957808",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.190962573159786,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "8c8183e5ad9b2bd5f52f79cb025499816127d0fe",
"event_fingerprint": "45d645974e3f76b8db5a89bb83977bb09554bd7e",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
12417
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
10704
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
7005
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
29951
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
26132
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
15403
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
15403
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "f913e5b041d96c71ba0af5a844a498a0ff44ac0e",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.185901742577968,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "6c1ad3dc7f6e5258ce74078b18c6d0305b1570fe",
"event_fingerprint": "7b1db75366807b8db5eab0a04c5d7026493f811c",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
16583
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
16583
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "7680ce500f2ad3c1ff4f4c93585bc236ea28de87",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.193057561531052,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "4d7ff3c9a78f868c4a35b6439ee77adc27d879fe",
"event_fingerprint": "edea3fda7aaa341167c7d07f4907f0f10efae131",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
31131
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
26798
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5474
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5474
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "8f7ad8dc1527ee92fddceac6f754a555e591fb8f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.209252923731511,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "c7c2a3947db17e19a6ab707213619c8640f61049",
"event_fingerprint": "43b254c9d65c652ec705bf3565edb4fc2ce83852",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
14178
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
14178
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "3ce6edb853d8bfefae346c52c25350d869e08e9f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.2182895128273925,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "5a1e1ed6f787e0c49b3648e6e7a0cbe1e6429dfe",
"event_fingerprint": "d16285da68b7cc642f058405f856dec3aa159617",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
11268
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
11268
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "2a3d7c5c0ec29d4b34f50777ba813c841d7fffc0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.195301007080266,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "93a0b8a57674acea42bc26ab1801be470a6b2f83",
"event_fingerprint": "66c2a74a37a85ff1db420a23ed192b9ee2ca8a64",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
28790
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
4273
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|