Détails IP 50.114.172.201

Synthèse exécutive

Profil de menace

Score de risque —

Première observation 16/06/2026 09:09 UTC

Dernière observation 16/06/2026 09:14 UTC

Événements (période) 442

MITRE ATT&CK principal —

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

ssh_probe

Comparaison ASN / FAI

ASN 8796 213840 · 50.114.172.0/24 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 442 événements sur la période pour cette IP.

23.165.40.135 Sonde port 23/TCP 16/06/2026 20:40 UTC
154.19.242.224 Sonde port 23/TCP 16/06/2026 20:20 UTC
38.49.38.178 port attack 16/06/2026 17:50 UTC
45.207.205.45 Cross-site scripting 13/06/2026 19:16 UTC
45.205.27.52 Sonde SSH 29/05/2026 11:09 UTC
156.238.224.50 Sonde SSH 25/04/2026 06:39 UTC
149.88.88.251 telnet attack 16/04/2026 20:11 UTC
156.238.252.133 Sonde SSH 21/02/2026 07:36 UTC

IPs apparentées

Même FAI FASTNET DATA INC — corrélation indicative.

23.165.40.135 Sonde port 23/TCP
154.19.242.224 Sonde port 23/TCP
38.49.38.178 port attack
45.207.205.45 Cross-site scripting
45.205.27.52 Sonde SSH

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

442 événement(s) — page 2/9

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 09:13:34 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �z�$2�Ww��u��qcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �z�$2�Ww��u��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| �z�$2�Ww��u��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�z�$2�Ww��u��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �z�$2�Ww��u��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.823880698049838, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "75f8637b1c48e65e520c4258cf8e9094", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffd\u001f\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffd\u001f\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffd\u001f\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffd\u001f\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffd\u001f\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "efeee4a0262da307e827b1a56af97cb1806d266f", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffd\u001f\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffd\u001f\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffd\u001f\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffd\u001f\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdz\ufffd$2\ufffdWw\ufffd\ufffd\ufffdu\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 44, "ssh_auth_burst_rate": 3.14 }
16/06/2026 09:13:34 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| Q�=H e��)+qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| Q�=H e��)+qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| Q�=H e��)+qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \| Q�=H e��)+qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| Q�=H e��)+qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 908, "payload_entropy": 4.832328837028959, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "047b3a7a0e977109f66b33537222a568", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\r\u0010Q\ufffd=H\ne\u0001\ufffd\ufffd\u001e\ufffd\ufffd)+\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\r\u0010Q\ufffd=H\ne\u0001\ufffd\ufffd\u001e\ufffd\ufffd)+\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\r\u0010Q\ufffd=H\ne\u0001\ufffd\ufffd\u001e\ufffd\ufffd)+\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\r\u0010Q\ufffd=H\ne\u0001\ufffd\ufffd\u001e\ufffd\ufffd)+\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\r\u0010Q\ufffd=H\ne\u0001\ufffd\ufffd\u001e\ufffd\ufffd)+\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "29d79099a75a03f3d098e7e13e2b2b1ec9a04085", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\r\u0010Q\ufffd=H\ne\u0001\ufffd\ufffd\u001e\ufffd\ufffd)+\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\r\u0010Q\ufffd=H\ne\u0001\ufffd\ufffd\u001e\ufffd\ufffd)+\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\rQ\ufffd=H\ne\ufffd\ufffd\ufffd\ufffd)+qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\r\u0010Q\ufffd=H\ne\u0001\ufffd\ufffd\u001e\ufffd\ufffd)+\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\r\u0010Q\ufffd=H\ne\u0001\ufffd\ufffd\u001e\ufffd\ufffd)+\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\rQ\ufffd=H\ne\ufffd\ufffd\ufffd\ufffd)+qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 47, "ssh_auth_burst_rate": 3.35 }
16/06/2026 09:13:33 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �i�/�M6a�w�w�Qqcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �i�/�M6a�w�w�Qqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| �i�/�M6a�w�w�Qqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�i�/�M6a�w�w�Qqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �i�/�M6a�w�w�Qqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 908, "payload_entropy": 4.821181871183938, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d3291826b86662ba374943d2d798140e", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdi\u001f\ufffd\/\ufffdM6a\ufffdw\ufffd\u0005w\ufffdQ\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdi\u001f\ufffd\/\ufffdM6a\ufffdw\ufffd\u0005w\ufffdQ\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdi\u001f\ufffd\/\ufffdM6a\ufffdw\ufffd\u0005w\ufffdQ\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdi\u001f\ufffd\/\ufffdM6a\ufffdw\ufffd\u0005w\ufffdQ\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdi\u001f\ufffd\/\ufffdM6a\ufffdw\ufffd\u0005w\ufffdQ\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5f5d865a3fd3da5dbed12b622830bc7bf8734c97", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdi\u001f\ufffd\/\ufffdM6a\ufffdw\ufffd\u0005w\ufffdQ\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdi\u001f\ufffd\/\ufffdM6a\ufffdw\ufffd\u0005w\ufffdQ\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdi\ufffd\/\ufffdM6a\ufffdw\ufffdw\ufffdQqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdi\u001f\ufffd\/\ufffdM6a\ufffdw\ufffd\u0005w\ufffdQ\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdi\u001f\ufffd\/\ufffdM6a\ufffdw\ufffd\u0005w\ufffdQ\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdi\ufffd\/\ufffdM6a\ufffdw\ufffdw\ufffdQqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 40, "ssh_auth_burst_rate": 3.07 }
16/06/2026 09:13:33 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��%�5�w��`0�qcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��%�5�w��`0�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| ��%�5�w��`0�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��%�5�w��`0�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��%�5�w��`0�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.836216920712725, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ebddcff86b90d3a7dd05988dfa18d061", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0004\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0004\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0004\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0004\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0004\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a294eb832b3a0311c778878bd9cb66d7626873de", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0004\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0004\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0004\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0004\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd%\ufffd5\ufffdw\ufffd\ufffd\ufffd\ufffd`0\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 43, "ssh_auth_burst_rate": 3.31 }
16/06/2026 09:13:32 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��.z>�JQJ��qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��.z>�JQJ��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ��.z>�JQJ��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��.z>�JQJ��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��.z>�JQJ��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "bytes_in": 908, "payload_entropy": 4.851734624132887, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0021fb7dbe365a11dcaa343a591c912d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001d\ufffd\ufffd\ufffd.z>\ufffdJQ\u001dJ\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001d\ufffd\ufffd\ufffd.z>\ufffdJQ\u001dJ\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001d\ufffd\ufffd\ufffd.z>\ufffdJQ\u001dJ\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001d\ufffd\ufffd\ufffd.z>\ufffdJQ\u001dJ\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001d\ufffd\ufffd\ufffd.z>\ufffdJQ\u001dJ\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ec48fea950c2df83b1f171e077ff78b506c119dc", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001d\ufffd\ufffd\ufffd.z>\ufffdJQ\u001dJ\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001d\ufffd\ufffd\ufffd.z>\ufffdJQ\u001dJ\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffd\ufffd\ufffd.z>\ufffdJQJ\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001d\ufffd\ufffd\ufffd.z>\ufffdJQ\u001dJ\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001d\ufffd\ufffd\ufffd.z>\ufffdJQ\u001dJ\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffd\ufffd\ufffd.z>\ufffdJQJ\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 38, "ssh_auth_burst_rate": 2.53 }
16/06/2026 09:13:32 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �a�� C��qcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �a�� C��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| �a�� C��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�a�� C��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �a�� C��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 908, "payload_entropy": 4.8445420312110015, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8c145a07619df241c0d258d9df82e801", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0017\ufffda\ufffd\u0018\ufffd \ufffd\ufffd\u0003\u000eC\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0017\ufffda\ufffd\u0018\ufffd \ufffd\ufffd\u0003\u000eC\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0017\ufffda\ufffd\u0018\ufffd \ufffd\ufffd\u0003\u000eC\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0017\ufffda\ufffd\u0018\ufffd \ufffd\ufffd\u0003\u000eC\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0017\ufffda\ufffd\u0018\ufffd \ufffd\ufffd\u0003\u000eC\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ceeb99b5abb43a1b55a89d5f47114c085bbbb59e", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0017\ufffda\ufffd\u0018\ufffd \ufffd\ufffd\u0003\u000eC\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0017\ufffda\ufffd\u0018\ufffd \ufffd\ufffd\u0003\u000eC\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffda\ufffd\ufffd \ufffd\ufffdC\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0017\ufffda\ufffd\u0018\ufffd \ufffd\ufffd\u0003\u000eC\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0017\ufffda\ufffd\u0018\ufffd \ufffd\ufffd\u0003\u000eC\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffda\ufffd\ufffd \ufffd\ufffdC\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 39, "ssh_auth_burst_rate": 3.25 }
16/06/2026 09:13:31 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �Sb-݋ۂ �'zt��qcurve25519-sha256@libssh.org… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �Sb-݋ۂ �'zt��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp52… Payload SSH-2.0-Go \| �Sb-݋ۂ �'zt��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�Sb-݋ۂ�'zt��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �Sb-݋ۂ �'zt��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.837244921742057, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b57522d4d6aa06816df1800cdf2b1bf7", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdSb-\u074b\u06c2\u000b\ufffd'zt\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdSb-\u074b\u06c2\u000b\ufffd'zt\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdSb-\u074b\u06c2\u000b\ufffd'zt\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdSb-\u074b\u06c2\u000b\ufffd'zt\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdSb-\u074b\u06c2\u000b\ufffd'zt\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1d436491813fe4a3bb4fb42334c834247d3f04e2", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdSb-\u074b\u06c2\u000b\ufffd'zt\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdSb-\u074b\u06c2\u000b\ufffd'zt\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdSb-\u074b\u06c2\ufffd'zt\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdSb-\u074b\u06c2\u000b\ufffd'zt\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdSb-\u074b\u06c2\u000b\ufffd'zt\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdSb-\u074b\u06c2\ufffd'zt\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 38, "ssh_auth_burst_rate": 2.53 }
16/06/2026 09:13:31 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �P�}�ь�d��(�7�qcurve25519-sha256@libssh.org… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �P�}�ь�d��(�7�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp52… Payload SSH-2.0-Go \| �P�}�ь�d��(�7�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�P�}�ь�d��(�7�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �P�}�ь�d��(�7�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.849326155544999, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "28111c45ae1b90911a1039f19ccab931", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "611c5d260c37638988f561c6ae06cb54e509d278", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdP\ufffd}\ufffd\u044c\ufffdd\ufffd\ufffd(\ufffd7\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 37, "ssh_auth_burst_rate": 2.64 }
16/06/2026 09:13:30 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �t{Lz�E�k.#:�Wqcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �t{Lz�E�k.#:�Wqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| �t{Lz�E�k.#:�Wqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�t{Lz�E�k.#:�Wqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �t{Lz�E�k.#:�Wqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.842413541012957, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1ab2326719e12df66a05454f8f5b2924", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdt{Lz\ufffd\u0010E\ufffdk.#:\ufffdW\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdt{Lz\ufffd\u0010E\ufffdk.#:\ufffdW\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdt{Lz\ufffd\u0010E\ufffdk.#:\ufffdW\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdt{Lz\ufffd\u0010E\ufffdk.#:\ufffdW\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdt{Lz\ufffd\u0010E\ufffdk.#:\ufffdW\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2f8d4bab45cdde788fcf0119c98fe61a91f60ee8", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdt{Lz\ufffd\u0010E\ufffdk.#:\ufffdW\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdt{Lz\ufffd\u0010E\ufffdk.#:\ufffdW\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdt{Lz\ufffdE\ufffdk.#:\ufffdWqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdt{Lz\ufffd\u0010E\ufffdk.#:\ufffdW\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdt{Lz\ufffd\u0010E\ufffdk.#:\ufffdW\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdt{Lz\ufffdE\ufffdk.#:\ufffdWqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 38, "ssh_auth_burst_rate": 2.53 }
16/06/2026 09:13:30 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��R��\��x?��-�qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��R��\��x?��-�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ��R��\��x?��-�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��R��\��x?��-�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��R��\��x?��-�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.838827003647953, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "caa77c2ea1cfa9521dae890f8759453d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f1587daf46a091464c925a283d7cec50cb8ae883", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffdR\ufffd\ufffd\\\ufffd\ufffdx?\ufffd\ufffd\ufffd-\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 37, "ssh_auth_burst_rate": 2.64 }
16/06/2026 09:13:29 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ١p�3��;O<��qcurve25519-sha256@libssh.org… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ١p�3��;O<��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp52… Payload SSH-2.0-Go \| ١p�3��;O<��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|١p�3��;O<��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ١p�3��;O<��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "bytes_in": 908, "payload_entropy": 4.83086452023938, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5e6970d2a7d6a4efd5ad658772b94726", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0661p\ufffd3\u001e\ufffd\ufffd;\u0018O<\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0661p\ufffd3\u001e\ufffd\ufffd;\u0018O<\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0661p\ufffd3\u001e\ufffd\ufffd;\u0018O<\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0661p\ufffd3\u001e\ufffd\ufffd;\u0018O<\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0661p\ufffd3\u001e\ufffd\ufffd;\u0018O<\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c2bfead6c4557ad056b6e32941e7635ad2e2337f", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0661p\ufffd3\u001e\ufffd\ufffd;\u0018O<\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0661p\ufffd3\u001e\ufffd\ufffd;\u0018O<\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\u0661p\ufffd3\ufffd\ufffd;O<\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0661p\ufffd3\u001e\ufffd\ufffd;\u0018O<\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0661p\ufffd3\u001e\ufffd\ufffd;\u0018O<\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\u0661p\ufffd3\ufffd\ufffd;O<\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 37, "ssh_auth_burst_rate": 2.64 }
16/06/2026 09:13:28 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �]�Xy�4.U��\|��qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �]�Xy�4.U��\|��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| �]�Xy�4.U��\|��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�]�Xy�4.U��\|��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �]�Xy�4.U��\|��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.825663065439992, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ce7893de7699883550148534702b887e", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd]\ufffd\u000eXy\ufffd\u00014.U\ufffd\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd]\ufffd\u000eXy\ufffd\u00014.U\ufffd\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd]\ufffd\u000eXy\ufffd\u00014.U\ufffd\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd]\ufffd\u000eXy\ufffd\u00014.U\ufffd\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd]\ufffd\u000eXy\ufffd\u00014.U\ufffd\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "16af9d86dcc058a32ca319404e93493386fd0df5", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd]\ufffd\u000eXy\ufffd\u00014.U\ufffd\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd]\ufffd\u000eXy\ufffd\u00014.U\ufffd\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd]\ufffdXy\ufffd4.U\ufffd\ufffd\|\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd]\ufffd\u000eXy\ufffd\u00014.U\ufffd\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd]\ufffd\u000eXy\ufffd\u00014.U\ufffd\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd]\ufffdXy\ufffd4.U\ufffd\ufffd\|\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 41, "ssh_auth_burst_rate": 2.73 }
16/06/2026 09:13:28 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| e�L�\|l��>hqcurve25519-sha256@libssh.org,… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| e�L�\|l��>hqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521… Payload SSH-2.0-Go \| e�L�\|l��>hqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|e�L�\|l��>hqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| e�L�\|l��>hqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "bytes_in": 908, "payload_entropy": 4.8260233019353995, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ec847d8d15ce77beddb7d45be70adb4d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014e\b\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bh\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014e\b\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bh\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014e\b\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bh\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014e\b\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bh\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014e\b\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bh\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54f7fceb37b17e46fba60f312109e67613bc722b", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014e\b\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bh\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014e\b\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bh\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|e\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bhqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014e\b\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bh\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014e\b\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bh\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|e\ufffdL\ufffd\|l\ufffd\ufffd\ufffd>\u008bhqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 42, "ssh_auth_burst_rate": 2.8 }
16/06/2026 09:13:27 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ?�� 'h]i��ڼ�qcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ?�� 'h]i��ڼ�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| ?�� 'h]i��ڼ�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|?�� 'h]i��ڼ�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ?�� 'h]i��ڼ�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 908, "payload_entropy": 4.834092777821083, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "092bdc0ca8952e4933b5ea05d1dd717c", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014?\ufffd\ufffd\ufffd\u0006 '\u0000h]i\ufffd\ufffd\u06bc\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014?\ufffd\ufffd\ufffd\u0006 '\u0000h]i\ufffd\ufffd\u06bc\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014?\ufffd\ufffd\ufffd\u0006 '\u0000h]i\ufffd\ufffd\u06bc\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014?\ufffd\ufffd\ufffd\u0006 '\u0000h]i\ufffd\ufffd\u06bc\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014?\ufffd\ufffd\ufffd\u0006 '\u0000h]i\ufffd\ufffd\u06bc\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "42baf3cff2db2520695a872f1e49d14a4dc6233f", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014?\ufffd\ufffd\ufffd\u0006 '\u0000h]i\ufffd\ufffd\u06bc\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014?\ufffd\ufffd\ufffd\u0006 '\u0000h]i\ufffd\ufffd\u06bc\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|?\ufffd\ufffd\ufffd 'h]i\ufffd\ufffd\u06bc\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014?\ufffd\ufffd\ufffd\u0006 '\u0000h]i\ufffd\ufffd\u06bc\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014?\ufffd\ufffd\ufffd\u0006 '\u0000h]i\ufffd\ufffd\u06bc\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|?\ufffd\ufffd\ufffd 'h]i\ufffd\ufffd\u06bc\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 41, "ssh_auth_burst_rate": 2.73 }
16/06/2026 09:13:27 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| 9ă�F��_v݄j,B�qcurve25519-sha256@libssh.org… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| 9ă�F��_v݄j,B�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp52… Payload SSH-2.0-Go \| 9ă�F��_v݄j,B�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|9ă�F��_v݄j,B�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| 9ă�F��_v݄j,B�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.8278523149087205, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ef143e501bc2d433d9b0d0f890dbecca", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00149\u0103\ufffdF\ufffd\ufffd_v\u0744j\u001d,B\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00149\u0103\ufffdF\ufffd\ufffd_v\u0744j\u001d,B\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00149\u0103\ufffdF\ufffd\ufffd_v\u0744j\u001d,B\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00149\u0103\ufffdF\ufffd\ufffd_v\u0744j\u001d,B\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00149\u0103\ufffdF\ufffd\ufffd_v\u0744j\u001d,B\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3180ca99f98dfdfea83c8e9d1c9b7e79215dc39", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00149\u0103\ufffdF\ufffd\ufffd_v\u0744j\u001d,B\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00149\u0103\ufffdF\ufffd\ufffd_v\u0744j\u001d,B\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|9\u0103\ufffdF\ufffd\ufffd_v\u0744j,B\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00149\u0103\ufffdF\ufffd\ufffd_v\u0744j\u001d,B\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00149\u0103\ufffdF\ufffd\ufffd_v\u0744j\u001d,B\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|9\u0103\ufffdF\ufffd\ufffd_v\u0744j,B\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 42, "ssh_auth_burst_rate": 2.8 }
16/06/2026 09:13:26 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| p��n��9�U]A>qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| p��n��9�U]A>qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| p��n��9�U]A>qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|p��n��9�U]A>qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| p��n��9�U]A>qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.82885795375942, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6e8b55a1bd128f4d89759e1644f5ffdc", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014p\ufffd\ufffdn\ufffd\u0002\ufffd\u0005\ufffd\ufffd9\ufffdU]A>\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014p\ufffd\ufffdn\ufffd\u0002\ufffd\u0005\ufffd\ufffd9\ufffdU]A>\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014p\ufffd\ufffdn\ufffd\u0002\ufffd\u0005\ufffd\ufffd9\ufffdU]A>\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014p\ufffd\ufffdn\ufffd\u0002\ufffd\u0005\ufffd\ufffd9\ufffdU]A>\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014p\ufffd\ufffdn\ufffd\u0002\ufffd\u0005\ufffd\ufffd9\ufffdU]A>\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf6e41ceaa256f9c9e89bb7f02560c351cd0d07a", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014p\ufffd\ufffdn\ufffd\u0002\ufffd\u0005\ufffd\ufffd9\ufffdU]A>\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014p\ufffd\ufffdn\ufffd\u0002\ufffd\u0005\ufffd\ufffd9\ufffdU]A>\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|p\ufffd\ufffdn\ufffd\ufffd\ufffd\ufffd9\ufffdU]A>qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014p\ufffd\ufffdn\ufffd\u0002\ufffd\u0005\ufffd\ufffd9\ufffdU]A>\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014p\ufffd\ufffdn\ufffd\u0002\ufffd\u0005\ufffd\ufffd9\ufffdU]A>\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|p\ufffd\ufffdn\ufffd\ufffd\ufffd\ufffd9\ufffdU]A>qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 40, "ssh_auth_burst_rate": 2.67 }
16/06/2026 09:13:26 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��?G�#PE��M�qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��?G�#PE��M�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ��?G�#PE��M�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��?G�#PE��M�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��?G�#PE��M�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.832206932281977, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6a25404e32d37e52aeb8e42e6d19eda8", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\u0010\ufffd?G\ufffd#PE\ufffd\ufffd\ufffd\u0007M\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\u0010\ufffd?G\ufffd#PE\ufffd\ufffd\ufffd\u0007M\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\u0010\ufffd?G\ufffd#PE\ufffd\ufffd\ufffd\u0007M\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\u0010\ufffd?G\ufffd#PE\ufffd\ufffd\ufffd\u0007M\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\u0010\ufffd?G\ufffd#PE\ufffd\ufffd\ufffd\u0007M\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3fb16c625c83eac6cc17516b3fea2d2a0b91c7c6", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\u0010\ufffd?G\ufffd#PE\ufffd\ufffd\ufffd\u0007M\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\u0010\ufffd?G\ufffd#PE\ufffd\ufffd\ufffd\u0007M\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd?G\ufffd#PE\ufffd\ufffd\ufffdM\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\u0010\ufffd?G\ufffd#PE\ufffd\ufffd\ufffd\u0007M\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\u0010\ufffd?G\ufffd#PE\ufffd\ufffd\ufffd\u0007M\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd?G\ufffd#PE\ufffd\ufffd\ufffdM\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 40, "ssh_auth_burst_rate": 2.86 }
16/06/2026 09:13:23 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��">��!`�� G�fqcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��">��!`�� G�fqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ��">��!`�� G�fqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��">��!`�� G�fqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��">��!`�� G�fqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.840619549074538, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2bd3f3adf6e4dfa1728fcaa57038f193", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\ufffd\u0013\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdf\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\ufffd\u0013\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdf\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\ufffd\u0013\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdf\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\ufffd\u0013\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdf\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\ufffd\u0013\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdf\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "513cf964cb4815b802424cd524fd913586597bde", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\ufffd\u0013\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdf\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\ufffd\u0013\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdf\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdfqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\ufffd\u0013\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdf\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0010\ufffd\u0013\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdf\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\">\ufffd\ufffd!`\ufffd\ufffd\tG\ufffdfqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 47, "ssh_auth_burst_rate": 3.13 }
16/06/2026 09:13:23 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| 5tg�x�� n� K\U�qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| 5tg�x�� n� K\U�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| 5tg�x�� n� K\U�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|5tg�x�� n� K\U�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| 5tg�x�� n� K\U�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "bytes_in": 908, "payload_entropy": 4.8281848151339535, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2523980fa6a4066b57d4c85fdb758d32", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00145tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\\u0003U\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00145tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\\u0003U\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00145tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\\u0003U\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00145tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\\u0003U\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00145tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\\u0003U\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a060b23d06a32d8a7ef27c6acb992e192d46dd48", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00145tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\\u0003U\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00145tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\\u0003U\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|5tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\U\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00145tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\\u0003U\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u00145tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\\u0003U\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|5tg\ufffdx\ufffd\ufffd\nn\ufffd\rK\\U\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 49, "ssh_auth_burst_rate": 3.27 }
16/06/2026 09:13:22 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��g��JG�!qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��g��JG�!qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ��g��JG�!qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��g��JG�!qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��g��JG�!qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "bytes_in": 908, "payload_entropy": 4.832048725977619, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3c4cbe0acaffb0a3f88eec722acbfcfc", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0014\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffdJG\ufffd!\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0014\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffdJG\ufffd!\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0014\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffdJG\ufffd!\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0014\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffdJG\ufffd!\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0014\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffdJG\ufffd!\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dfa28d2a45538303419e7357f34371f284b858ec", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0014\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffdJG\ufffd!\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0014\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffdJG\ufffd!\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdJG\ufffd!qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0014\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffdJG\ufffd!\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0014\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffdJG\ufffd!\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdJG\ufffd!qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 47, "ssh_auth_burst_rate": 3.13 }
16/06/2026 09:13:22 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| .�e5B��b��8S�Eqcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| .�e5B��b��8S�Eqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| .�e5B��b��8S�Eqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|.�e5B��b��8S�Eqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| .�e5B��b��8S�Eqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 908, "payload_entropy": 4.819377323713445, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cf6fa39477efa882bcad0c831ed3102e", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdE\u0011\u001c\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdE\u0011\u001c\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdE\u0011\u001c\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdE\u0011\u001c\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdE\u0011\u001c\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1277dcaf52fcacb42d2d7749ba157f5f2b9e8599", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdE\u0011\u001c\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdE\u0011\u001c\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdEqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdE\u0011\u001c\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdE\u0011\u001c\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|.\ufffde5B\ufffd\ufffdb\ufffd\ufffd8S\ufffdEqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 46, "ssh_auth_burst_rate": 3.28 }
16/06/2026 09:13:21 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��*&�/Q8��E�qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��&�/Q8��E�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ��&�/Q8��E�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��&�/Q8��E�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��&�/Q8��E�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 908, "payload_entropy": 4.832225630085693, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "23cfce54f5214f79e1c1f6629c596221", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd&\ufffd\u001e\/Q8\ufffd\ufffd\u0000\ufffd\ufffdE\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd&\ufffd\u001e\/Q8\ufffd\ufffd\u0000\ufffd\ufffdE\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd&\ufffd\u001e\/Q8\ufffd\ufffd\u0000\ufffd\ufffdE\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd&\ufffd\u001e\/Q8\ufffd\ufffd\u0000\ufffd\ufffdE\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd&\ufffd\u001e\/Q8\ufffd\ufffd\u0000\ufffd\ufffdE\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "181ac275916969f6c4679b0b988cfc45d6f4cda5", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd&\ufffd\u001e\/Q8\ufffd\ufffd\u0000\ufffd\ufffdE\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd&\ufffd\u001e\/Q8\ufffd\ufffd\u0000\ufffd\ufffdE\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd&\ufffd\/Q8\ufffd\ufffd\ufffd\ufffdE\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd&\ufffd\u001e\/Q8\ufffd\ufffd\u0000\ufffd\ufffdE\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd&\ufffd\u001e\/Q8\ufffd\ufffd\u0000\ufffd\ufffdE\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd*&\ufffd\/Q8\ufffd\ufffd\ufffd\ufffdE\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 46, "ssh_auth_burst_rate": 3.28 }
16/06/2026 09:13:20 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ~t�4��ad��p��qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ~t�4��ad��p��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ~t�4��ad��p��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|~t�4��ad��p��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ~t�4��ad��p��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.821308856273013, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2349688ff024d0d88d9ea1af3599a325", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u001b~t\u0005\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u001b~t\u0005\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u001b~t\u0005\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u001b~t\u0005\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u001b~t\u0005\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bc8b5dd5b06ab2f1e1078551e6dd1f748a9cb7bc", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u001b~t\u0005\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u001b~t\u0005\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|~t\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u001b~t\u0005\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u001b~t\u0005\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|~t\ufffd4\ufffd\ufffdad\ufffd\ufffd\ufffdp\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 51, "ssh_auth_burst_rate": 3.4 }
16/06/2026 09:13:17 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| Z�2`2��Z��!Oqcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| Z�2`2��Z��!Oqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| Z�2`2��Z��!Oqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|Z�2`2��Z��!Oqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| Z�2`2��Z��!Oqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.832122430542513, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d6bd4b989975ee8018bb19adbb83c2cf", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!O\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!O\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!O\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!O\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!O\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce6ed482aeadd7988f12327c62ca7bb79c7ddb85", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!O\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!O\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!Oqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!O\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!O\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|Z\ufffd2`2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd\ufffd!Oqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 54, "ssh_auth_burst_rate": 3.6 }
16/06/2026 09:13:16 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| Kp]�w�sl��O�K��qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| Kp]�w�sl��O�K��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| Kp]�w�sl��O�K��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|Kp]�w�sl��O�K��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| Kp]�w�sl��O�K��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "bytes_in": 908, "payload_entropy": 4.827204514318352, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6f7517587ffa509c8412cf2170b23a0e", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a5281647a1dae0a3691e1d0adaa1d57db281c556", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|Kp]\ufffdw\ufffdsl\ufffd\ufffd\ufffdO\ufffdK\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 56, "ssh_auth_burst_rate": 3.73 }
16/06/2026 09:13:16 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��E��zH=Dʢ]Rqcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��E��zH=Dʢ]Rqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| ��E��zH=Dʢ]Rqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��E��zH=Dʢ]Rqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��E��zH=Dʢ]Rqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 908, "payload_entropy": 4.8547434135592, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0fd440f78e25525efe2c5236c63d8957", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffdE\u001d\ufffd\ufffdz\u0019H=D\u02a2\u0005]R\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffdE\u001d\ufffd\ufffdz\u0019H=D\u02a2\u0005]R\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffdE\u001d\ufffd\ufffdz\u0019H=D\u02a2\u0005]R\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffdE\u001d\ufffd\ufffdz\u0019H=D\u02a2\u0005]R\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffdE\u001d\ufffd\ufffdz\u0019H=D\u02a2\u0005]R\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "21ce14c49364042251bc9257c9cac5b8cf44d453", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffdE\u001d\ufffd\ufffdz\u0019H=D\u02a2\u0005]R\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffdE\u001d\ufffd\ufffdz\u0019H=D\u02a2\u0005]R\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffdE\ufffd\ufffdzH=D\u02a2]Rqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffdE\u001d\ufffd\ufffdz\u0019H=D\u02a2\u0005]R\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffdE\u001d\ufffd\ufffdz\u0019H=D\u02a2\u0005]R\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffdE\ufffd\ufffdzH=D\u02a2]Rqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 57, "ssh_auth_burst_rate": 3.8 }
16/06/2026 09:13:15 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| R�H��a��l$��aqcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| R�H��a��l$��aqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| R�H��a��l$��aqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|R�H��a��l$��aqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| R�H��a��l$��aqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "bytes_in": 908, "payload_entropy": 4.835254130398517, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2e54f8263cad80de8312e69dcd5a5fc4", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\u001c\ufffdl$\ufffd\ufffda\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\u001c\ufffdl$\ufffd\ufffda\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\u001c\ufffdl$\ufffd\ufffda\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\u001c\ufffdl$\ufffd\ufffda\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\u001c\ufffdl$\ufffd\ufffda\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99e84e0939322cca2c61ec98659a2b0c2c97dfc3", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\u001c\ufffdl$\ufffd\ufffda\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\u001c\ufffdl$\ufffd\ufffda\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\ufffdl$\ufffd\ufffdaqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\u001c\ufffdl$\ufffd\ufffda\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\u001c\ufffdl$\ufffd\ufffda\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|R\ufffdH\ufffd\ufffd\ufffda\ufffd\ufffd\ufffdl$\ufffd\ufffdaqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 55, "ssh_auth_burst_rate": 3.67 }
16/06/2026 09:13:15 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| -g̵��n��B�Eqcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| -g̵��n��B�Eqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| -g̵��n��B�Eqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|-g̵��n��B�Eqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| -g̵��n��B�Eqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.823020945292772, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1508502b6d4a8d399c329c96b071b8a4", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014-g\u0335\ufffd\ufffd\ufffd\u001f\ufffdn\ufffd\ufffd\ufffdB\ufffdE\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014-g\u0335\ufffd\ufffd\ufffd\u001f\ufffdn\ufffd\ufffd\ufffdB\ufffdE\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014-g\u0335\ufffd\ufffd\ufffd\u001f\ufffdn\ufffd\ufffd\ufffdB\ufffdE\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014-g\u0335\ufffd\ufffd\ufffd\u001f\ufffdn\ufffd\ufffd\ufffdB\ufffdE\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014-g\u0335\ufffd\ufffd\ufffd\u001f\ufffdn\ufffd\ufffd\ufffdB\ufffdE\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4c5ab28f990d9c1568c6cd4147f790237fa8e832", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014-g\u0335\ufffd\ufffd\ufffd\u001f\ufffdn\ufffd\ufffd\ufffdB\ufffdE\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014-g\u0335\ufffd\ufffd\ufffd\u001f\ufffdn\ufffd\ufffd\ufffdB\ufffdE\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|-g\u0335\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffdB\ufffdEqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014-g\u0335\ufffd\ufffd\ufffd\u001f\ufffdn\ufffd\ufffd\ufffdB\ufffdE\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014-g\u0335\ufffd\ufffd\ufffd\u001f\ufffdn\ufffd\ufffd\ufffdB\ufffdE\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|-g\u0335\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffdB\ufffdEqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 56, "ssh_auth_burst_rate": 3.73 }
16/06/2026 09:13:14 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| Y2v�{�<��п��zKqcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| Y2v�{�<��п��zKqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| Y2v�{�<��п��zKqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|Y2v�{�<��п��zKqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| Y2v�{�<��п��zKqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 908, "payload_entropy": 4.831583614617291, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bea73566cc4b1dc4473ec9b1928261e3", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Y\u00012v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzK\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Y\u00012v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzK\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Y\u00012v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzK\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Y\u00012v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzK\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Y\u00012v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzK\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "74e71a02e5a09a8aa47a125ef680ed694641f0c3", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Y\u00012v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzK\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Y\u00012v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzK\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|Y2v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzKqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Y\u00012v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzK\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Y\u00012v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzK\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|Y2v\ufffd{\ufffd<\ufffd\ufffd\u043f\ufffd\ufffdzKqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 55, "ssh_auth_burst_rate": 3.67 }
16/06/2026 09:13:14 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| U��_�z��H��2�qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| U��_�z��H��2�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| U��_�z��H��2�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|U��_�z��H��2�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| U��_�z��H��2�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.823070550011895, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5a4bb22f4ae2fa7b883bc70f46e87377", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0011U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0011U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0011U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0011U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0011U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0a1bbfbf73187fef02618857e618424bd117e52c", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0011U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0011U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0011U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0011U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|U\ufffd\ufffd_\ufffdz\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd2\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 56, "ssh_auth_burst_rate": 3.73 }
16/06/2026 09:13:13 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| S��Xp��P SG(�qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| S��Xp��P SG(�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| S��Xp��P SG(�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|S��Xp��P SG(�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| S��Xp��P SG(�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.821874568817158, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "19e57142faeb525c26e9263dec150b26", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0003S\ufffd\ufffd\ufffdX\u001dp\ufffd\ufffdP SG(\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0003S\ufffd\ufffd\ufffdX\u001dp\ufffd\ufffdP SG(\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0003S\ufffd\ufffd\ufffdX\u001dp\ufffd\ufffdP SG(\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0003S\ufffd\ufffd\ufffdX\u001dp\ufffd\ufffdP SG(\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0003S\ufffd\ufffd\ufffdX\u001dp\ufffd\ufffdP SG(\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "88801b669a9223882d6f27b38a3b13d296169c14", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0003S\ufffd\ufffd\ufffdX\u001dp\ufffd\ufffdP SG(\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0003S\ufffd\ufffd\ufffdX\u001dp\ufffd\ufffdP SG(\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|S\ufffd\ufffd\ufffdXp\ufffd\ufffdP SG(\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0003S\ufffd\ufffd\ufffdX\u001dp\ufffd\ufffdP SG(\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\u0003S\ufffd\ufffd\ufffdX\u001dp\ufffd\ufffdP SG(\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|S\ufffd\ufffd\ufffdXp\ufffd\ufffdP SG(\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 56, "ssh_auth_burst_rate": 3.73 }
16/06/2026 09:13:13 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| HvL � �1#�a�qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| HvL � �1#�a�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| HvL � �1#�a�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|HvL � �1#�a�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| HvL � �1#�a�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.827146321421658, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "07cf9796a53eb8833730545bc62a52e5", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Hv\u0005L\n\ufffd \ufffd1\u0010\u001d#\ufffda\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Hv\u0005L\n\ufffd \ufffd1\u0010\u001d#\ufffda\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Hv\u0005L\n\ufffd \ufffd1\u0010\u001d#\ufffda\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Hv\u0005L\n\ufffd \ufffd1\u0010\u001d#\ufffda\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Hv\u0005L\n\ufffd \ufffd1\u0010\u001d#\ufffda\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9f971571c47401facd8755753c1b367d9bbbe619", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Hv\u0005L\n\ufffd \ufffd1\u0010\u001d#\ufffda\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Hv\u0005L\n\ufffd \ufffd1\u0010\u001d#\ufffda\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|HvL\n\ufffd \ufffd1#\ufffda\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Hv\u0005L\n\ufffd \ufffd1\u0010\u001d#\ufffda\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014Hv\u0005L\n\ufffd \ufffd1\u0010\u001d#\ufffda\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|HvL\n\ufffd \ufffd1#\ufffda\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 57, "ssh_auth_burst_rate": 3.8 }
16/06/2026 09:13:12 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��Vϩ��Fqcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��Vϩ��Fqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| ��Vϩ��Fqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��Vϩ��Fqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��Vϩ��Fqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.849926929248917, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b909098c4446ea4d993ac52981e770d6", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\u001cV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\u001cV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\u001cV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\u001cV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\u001cV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee9e7e124277c11d0781bfe387be52d9c4be16cf", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\u001cV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\u001cV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffd\ufffd\ufffdV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdFqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\u001cV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\u001cV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffd\ufffd\ufffdV\u03e9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdFqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 55, "ssh_auth_burst_rate": 3.67 }
16/06/2026 09:13:12 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��O��G��_qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��O��G��_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ��O��G��_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��O��G��_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��O��G��_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "bytes_in": 908, "payload_entropy": 4.84813548404378, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1bc496a5bcebb10bfd40e8d21866a379", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001c\ufffdO\ufffd\ufffd\ufffd\ufffd\u0006G\ufffd\ufffd\ufffd\ufffd_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001c\ufffdO\ufffd\ufffd\ufffd\ufffd\u0006G\ufffd\ufffd\ufffd\ufffd_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001c\ufffdO\ufffd\ufffd\ufffd\ufffd\u0006G\ufffd\ufffd\ufffd\ufffd_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001c\ufffdO\ufffd\ufffd\ufffd\ufffd\u0006G\ufffd\ufffd\ufffd\ufffd_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001c\ufffdO\ufffd\ufffd\ufffd\ufffd\u0006G\ufffd\ufffd\ufffd\ufffd_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a10da6351ee5c4a8f09d3c7578d3c2be235b2fdb", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001c\ufffdO\ufffd\ufffd\ufffd\ufffd\u0006G\ufffd\ufffd\ufffd\ufffd_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001c\ufffdO\ufffd\ufffd\ufffd\ufffd\u0006G\ufffd\ufffd\ufffd\ufffd_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001c\ufffdO\ufffd\ufffd\ufffd\ufffd\u0006G\ufffd\ufffd\ufffd\ufffd_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u001c\ufffdO\ufffd\ufffd\ufffd\ufffd\u0006G\ufffd\ufffd\ufffd\ufffd_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 56, "ssh_auth_burst_rate": 3.73 }
16/06/2026 09:13:11 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��kl8�,>Nl(y_qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��kl8�,>Nl(y_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ��kl8�,>Nl(y_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��kl8�,>Nl(y_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��kl8�,>Nl(y_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.817601386498621, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "33fa5f0741b61a7d9bffa81402957e6b", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u0000\ufffdkl8\u0015\ufffd,>Nl(y_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u0000\ufffdkl8\u0015\ufffd,>Nl(y_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u0000\ufffdkl8\u0015\ufffd,>Nl(y_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u0000\ufffdkl8\u0015\ufffd,>Nl(y_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u0000\ufffdkl8\u0015\ufffd,>Nl(y_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7e794876319b4ffca6e0c51a2ef210e4d235f638", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u0000\ufffdkl8\u0015\ufffd,>Nl(y_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u0000\ufffdkl8\u0015\ufffd,>Nl(y_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffdkl8\ufffd,>Nl(y_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u0000\ufffdkl8\u0015\ufffd,>Nl(y_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd\u0000\ufffdkl8\u0015\ufffd,>Nl(y_\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd\ufffdkl8\ufffd,>Nl(y_qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 56, "ssh_auth_burst_rate": 3.73 }
16/06/2026 09:13:10 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| bFvG3A�n��v`�i �qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| bFvG3A�n��v`�i �qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| bFvG3A�n��v`�i �qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|bFvG3A�n��v`�i �qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| bFvG3A�n��v`�i �qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.798533938369332, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "28b2ecc6754a1df3e6af6c1104987574", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "52b89340643f103aeb9ee04e6eb071add511445f", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|bFvG3A\ufffdn\ufffd\ufffdv`\ufffdi\t\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 54, "ssh_auth_burst_rate": 3.6 }
16/06/2026 09:13:10 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| c�@��TQ��qcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| c�@��TQ��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| c�@��TQ��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|c�@��TQ��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| c�@��TQ��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.825354715790321, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "caad6e6f4e769ed6d193b03b02aab841", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014c\b\ufffd@\u0006\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014c\b\ufffd@\u0006\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014c\b\ufffd@\u0006\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014c\b\ufffd@\u0006\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014c\b\ufffd@\u0006\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "abdeead228cf3157765dd5e593dad526b41f148b", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014c\b\ufffd@\u0006\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014c\b\ufffd@\u0006\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|c\ufffd@\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014c\b\ufffd@\u0006\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014c\b\ufffd@\u0006\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|c\ufffd@\ufffd\ufffdTQ\ufffd\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 55, "ssh_auth_burst_rate": 3.93 }
16/06/2026 09:13:09 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �щ�dǗ�p��\|qcurve25519-sha256@libssh.org,… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �щ�dǗ�p��\|qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521… Payload SSH-2.0-Go \| �щ�dǗ�p��\|qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�щ�dǗ�p��\|qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �щ�dǗ�p��\|qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.8356812694306175, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "333906b85a3b461fb23b540fc9741037", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0449\ufffdd\u01d7\u0001\ufffdp\b\ufffd\ufffd\|\u0011\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0449\ufffdd\u01d7\u0001\ufffdp\b\ufffd\ufffd\|\u0011\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0449\ufffdd\u01d7\u0001\ufffdp\b\ufffd\ufffd\|\u0011\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0449\ufffdd\u01d7\u0001\ufffdp\b\ufffd\ufffd\|\u0011\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0449\ufffdd\u01d7\u0001\ufffdp\b\ufffd\ufffd\|\u0011\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dcd9f2bd892a7e4e06edd5ae1be4ce4f7157a70f", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0449\ufffdd\u01d7\u0001\ufffdp\b\ufffd\ufffd\|\u0011\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0449\ufffdd\u01d7\u0001\ufffdp\b\ufffd\ufffd\|\u0011\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\u0449\ufffdd\u01d7\ufffdp\ufffd\ufffd\|qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0449\ufffdd\u01d7\u0001\ufffdp\b\ufffd\ufffd\|\u0011\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u0449\ufffdd\u01d7\u0001\ufffdp\b\ufffd\ufffd\|\u0011\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\u0449\ufffdd\u01d7\ufffdp\ufffd\ufffd\|qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 50, "ssh_auth_burst_rate": 3.57 }
16/06/2026 09:13:09 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| \�HUֹ1��8w�qcurve25519-sha256@libssh.org… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| \�HUֹ1��8w�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp52… Payload SSH-2.0-Go \| \�HUֹ1��8w�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|\�HUֹ1��8w�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| \�HUֹ1��8w�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 908, "payload_entropy": 4.836867137894375, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8398356636ead272d9cb9b575568e25f", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\\\ufffd\u0010HU\u05b9\u00171\u0014\ufffd\ufffd8w\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\\\ufffd\u0010HU\u05b9\u00171\u0014\ufffd\ufffd8w\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\\\ufffd\u0010HU\u05b9\u00171\u0014\ufffd\ufffd8w\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\\\ufffd\u0010HU\u05b9\u00171\u0014\ufffd\ufffd8w\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\\\ufffd\u0010HU\u05b9\u00171\u0014\ufffd\ufffd8w\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72fd07eb18942f667ab030bf1fc3ff5573ea58e0", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\\\ufffd\u0010HU\u05b9\u00171\u0014\ufffd\ufffd8w\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\\\ufffd\u0010HU\u05b9\u00171\u0014\ufffd\ufffd8w\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\\\ufffdHU\u05b91\ufffd\ufffd8w\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\\\ufffd\u0010HU\u05b9\u00171\u0014\ufffd\ufffd8w\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\\\ufffd\u0010HU\u05b9\u00171\u0014\ufffd\ufffd8w\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\\\ufffdHU\u05b91\ufffd\ufffd8w\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 53, "ssh_auth_burst_rate": 3.78 }
16/06/2026 09:13:08 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| n�ܱ��Z��u,1��qcurve25519-sha256@libssh.org… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| n�ܱ��Z��u,1��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp52… Payload SSH-2.0-Go \| n�ܱ��Z��u,1��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|n�ܱ��Z��u,1��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| n�ܱ��Z��u,1��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.82338890919931, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "974183449c80f6c63b4b8830d48eee7f", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014n\ufffd\u0731\u001b\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014n\ufffd\u0731\u001b\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014n\ufffd\u0731\u001b\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014n\ufffd\u0731\u001b\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014n\ufffd\u0731\u001b\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb0bc3d282025b384738660c376b8474143e29d5", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014n\ufffd\u0731\u001b\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014n\ufffd\u0731\u001b\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|n\ufffd\u0731\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014n\ufffd\u0731\u001b\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014n\ufffd\u0731\u001b\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|n\ufffd\u0731\ufffd\ufffdZ\ufffd\ufffdu,1\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 46, "ssh_auth_burst_rate": 3.54 }
16/06/2026 09:13:08 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| %$�)��Q%�Ð#�qcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| %$�)��Q%�Ð#�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| %$�)��Q%�Ð#�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|%$�)��Q%�Ð#�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| %$�)��Q%�Ð#�qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.841276391746165, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2d4986bd45e6757e5f0fba14e7277b1f", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014%$\ufffd)\u0000\ufffd\ufffd\ufffdQ%\ufffd\u00d0\u0002#\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014%$\ufffd)\u0000\ufffd\ufffd\ufffdQ%\ufffd\u00d0\u0002#\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014%$\ufffd)\u0000\ufffd\ufffd\ufffdQ%\ufffd\u00d0\u0002#\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014%$\ufffd)\u0000\ufffd\ufffd\ufffdQ%\ufffd\u00d0\u0002#\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014%$\ufffd)\u0000\ufffd\ufffd\ufffdQ%\ufffd\u00d0\u0002#\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ffcc1a77dff0ded00baede57dbdcffcd605c0efe", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014%$\ufffd)\u0000\ufffd\ufffd\ufffdQ%\ufffd\u00d0\u0002#\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014%$\ufffd)\u0000\ufffd\ufffd\ufffdQ%\ufffd\u00d0\u0002#\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|%$\ufffd)\ufffd\ufffd\ufffdQ%\ufffd\u00d0#\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014%$\ufffd)\u0000\ufffd\ufffd\ufffdQ%\ufffd\u00d0\u0002#\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014%$\ufffd)\u0000\ufffd\ufffd\ufffdQ%\ufffd\u00d0\u0002#\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|%$\ufffd)\ufffd\ufffd\ufffdQ%\ufffd\u00d0#\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 49, "ssh_auth_burst_rate": 3.77 }
16/06/2026 09:13:07 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| � O\��@�"�\|��qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| � O\��@�"�\|��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| � O\��@�"�\|��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�O\��@�"�\|��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| � O\��@�"�\|��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.843023420647626, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3b5dd6028de733ac0e81cdf15a25b0ed", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u000bO\\\ufffd\ufffd\ufffd\u001b\ufffd@\ufffd\"\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u000bO\\\ufffd\ufffd\ufffd\u001b\ufffd@\ufffd\"\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u000bO\\\ufffd\ufffd\ufffd\u001b\ufffd@\ufffd\"\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u000bO\\\ufffd\ufffd\ufffd\u001b\ufffd@\ufffd\"\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u000bO\\\ufffd\ufffd\ufffd\u001b\ufffd@\ufffd\"\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c4fca812464e88ce8485746c8468090acbb9709b", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u000bO\\\ufffd\ufffd\ufffd\u001b\ufffd@\ufffd\"\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u000bO\\\ufffd\ufffd\ufffd\u001b\ufffd@\ufffd\"\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdO\\\ufffd\ufffd\ufffd\ufffd@\ufffd\"\ufffd\|\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u000bO\\\ufffd\ufffd\ufffd\u001b\ufffd@\ufffd\"\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\u000bO\\\ufffd\ufffd\ufffd\u001b\ufffd@\ufffd\"\ufffd\|\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdO\\\ufffd\ufffd\ufffd\ufffd@\ufffd\"\ufffd\|\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 42, "ssh_auth_burst_rate": 3.5 }
16/06/2026 09:13:07 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �F�瘰��z0��qcurve25519-sha256@libssh.org… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �F�瘰��z0��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp52… Payload SSH-2.0-Go \| �F�瘰��z0��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�F�瘰��z0��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �F�瘰��z0��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.832119069981879, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2d0619eca26071ba9d5a8b3de9a9428c", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdF\ufffd\u7630\ufffd\u001f\ufffd\u0000\ufffdz0\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdF\ufffd\u7630\ufffd\u001f\ufffd\u0000\ufffdz0\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdF\ufffd\u7630\ufffd\u001f\ufffd\u0000\ufffdz0\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdF\ufffd\u7630\ufffd\u001f\ufffd\u0000\ufffdz0\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdF\ufffd\u7630\ufffd\u001f\ufffd\u0000\ufffdz0\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "437d9ee298d2e334fe9d05c435c4e15368b44fb7", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdF\ufffd\u7630\ufffd\u001f\ufffd\u0000\ufffdz0\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdF\ufffd\u7630\ufffd\u001f\ufffd\u0000\ufffdz0\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdF\ufffd\u7630\ufffd\ufffd\ufffdz0\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdF\ufffd\u7630\ufffd\u001f\ufffd\u0000\ufffdz0\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdF\ufffd\u7630\ufffd\u001f\ufffd\u0000\ufffdz0\ufffd\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdF\ufffd\u7630\ufffd\ufffd\ufffdz0\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 45, "ssh_auth_burst_rate": 3.75 }
16/06/2026 09:13:06 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �h�9�� c��qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �h�9�� c��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| �h�9�� c��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�h�9��c��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �h�9�� c��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.810737634864348, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "be5e9d22dae46ba36857c97d58e0fd8a", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdh\u0017\u0019\u001b\ufffd9\ufffd\ufffd\fc\ufffd\ufffd\ufffd\u0001\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdh\u0017\u0019\u001b\ufffd9\ufffd\ufffd\fc\ufffd\ufffd\ufffd\u0001\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdh\u0017\u0019\u001b\ufffd9\ufffd\ufffd\fc\ufffd\ufffd\ufffd\u0001\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdh\u0017\u0019\u001b\ufffd9\ufffd\ufffd\fc\ufffd\ufffd\ufffd\u0001\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdh\u0017\u0019\u001b\ufffd9\ufffd\ufffd\fc\ufffd\ufffd\ufffd\u0001\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e2b247cb04f1baabb64b64a55ddfc50c7d46e599", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdh\u0017\u0019\u001b\ufffd9\ufffd\ufffd\fc\ufffd\ufffd\ufffd\u0001\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdh\u0017\u0019\u001b\ufffd9\ufffd\ufffd\fc\ufffd\ufffd\ufffd\u0001\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdh\ufffd9\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdh\u0017\u0019\u001b\ufffd9\ufffd\ufffd\fc\ufffd\ufffd\ufffd\u0001\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffdh\u0017\u0019\u001b\ufffd9\ufffd\ufffd\fc\ufffd\ufffd\ufffd\u0001\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffdh\ufffd9\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 38, "ssh_auth_burst_rate": 3.45 }
16/06/2026 09:13:06 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ��.��gq�&�E��qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ��.��gq�&�E��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ��.��gq�&�E��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|��.��gq�&�E��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ��.��gq�&�E��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a", "emulator_response_len": 39, "bytes_in": 908, "payload_entropy": 4.831587847021806, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac23a2ef5f3cef8c730d5799cbddde14", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\u001a\ufffdE\ufffd\ufffd\u0011\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\u001a\ufffdE\ufffd\ufffd\u0011\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\u001a\ufffdE\ufffd\ufffd\u0011\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\u001a\ufffdE\ufffd\ufffd\u0011\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\u001a\ufffdE\ufffd\ufffd\u0011\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1bf1e8e09824f679371f0e61b96c2ab91390456d", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\u001a\ufffdE\ufffd\ufffd\u0011\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\u001a\ufffdE\ufffd\ufffd\u0011\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\ufffdE\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\u001a\ufffdE\ufffd\ufffd\u0011\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\u001a\ufffdE\ufffd\ufffd\u0011\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd\ufffd.\ufffd\ufffdgq\ufffd&\ufffdE\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 41, "ssh_auth_burst_rate": 3.72 }
16/06/2026 09:13:05 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| @��#_�ݚ_��sxqcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| @��#_�ݚ_��sxqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| @��#_�ݚ_��sxqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|@��#_�ݚ_��sxqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| @��#_�ݚ_��sxqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.835622800937665, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "62ae36a180d8a99b6893a8e0787201ed", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsx\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsx\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsx\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsx\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsx\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "607a77e79f15f1aac833851ee35232b6daa23f19", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsx\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsx\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsxqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsx\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsx\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|@\ufffd\ufffd\ufffd\ufffd#_\ufffd\u075a_\ufffd\ufffd\ufffdsxqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 38, "ssh_auth_burst_rate": 2.53 }
16/06/2026 09:13:05 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �^$��ĭ� ��b�8qcurve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �^$��ĭ� ��b�8qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go \| �^$��ĭ� ��b�8qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�^$��ĭ� ��b�8qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �^$��ĭ� ��b�8qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.834929090682969, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2b367d26fa4eec2a07031c081971ae5f", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffd\u001eb\ufffd8\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffd\u001eb\ufffd8\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffd\u001eb\ufffd8\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffd\u001eb\ufffd8\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffd\u001eb\ufffd8\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9db32acd17f5b2046493609101691b0f101b981e", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffd\u001eb\ufffd8\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffd\u001eb\ufffd8\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffdb\ufffd8qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffd\u001eb\ufffd8\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffd\u001eb\ufffd8\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd^$\ufffd\ufffd\ufffd\u012d\ufffd \ufffd\ufffdb\ufffd8qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 37, "ssh_auth_burst_rate": 3.7 }
16/06/2026 09:13:04 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| ^�N��~}:C��qcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| ^�N��~}:C��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| ^�N��~}:C��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|^�N��~}:C��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| ^�N��~}:C��qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.853300843997055, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d50a2f2ad13e900059c630cc721760cf", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014^\ufffdN\ufffd\u001b\ufffd~}:C\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014^\ufffdN\ufffd\u001b\ufffd~}:C\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014^\ufffdN\ufffd\u001b\ufffd~}:C\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014^\ufffdN\ufffd\u001b\ufffd~}:C\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014^\ufffdN\ufffd\u001b\ufffd~}:C\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "066e48999c3b95a6e87fa8b02d998ed07799f3e3", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014^\ufffdN\ufffd\u001b\ufffd~}:C\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014^\ufffdN\ufffd\u001b\ufffd~}:C\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|^\ufffdN\ufffd\ufffd~}:C\ufffd\ufffd\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014^\ufffdN\ufffd\u001b\ufffd~}:C\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014^\ufffdN\ufffd\u001b\ufffd~}:C\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|^\ufffdN\ufffd\ufffd~}:C\ufffd\ufffd\ufffd\ufffd\ufffdqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 37, "ssh_auth_burst_rate": 2.64 }
16/06/2026 09:13:03 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| Ef�8�l�H�捩�%qcurve25519-sha256@libssh.org… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| Ef�8�l�H�捩�%qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp52… Payload SSH-2.0-Go \| Ef�8�l�H�捩�%qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|Ef�8�l�H�捩�%qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| Ef�8�l�H�捩�%qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a", "emulator_response_len": 41, "bytes_in": 908, "payload_entropy": 4.839161051659005, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "11810445f0e0466eb9bb3dc8f0e5a97d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014E\u0017f\ufffd8\ufffdl\ufffdH\ufffd\u6369\u0005\ufffd%\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014E\u0017f\ufffd8\ufffdl\ufffdH\ufffd\u6369\u0005\ufffd%\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014E\u0017f\ufffd8\ufffdl\ufffdH\ufffd\u6369\u0005\ufffd%\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014E\u0017f\ufffd8\ufffdl\ufffdH\ufffd\u6369\u0005\ufffd%\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014E\u0017f\ufffd8\ufffdl\ufffdH\ufffd\u6369\u0005\ufffd%\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1be986ca16d06c5c0a520da26e96dc8aa1b8c0e2", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014E\u0017f\ufffd8\ufffdl\ufffdH\ufffd\u6369\u0005\ufffd%\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014E\u0017f\ufffd8\ufffdl\ufffdH\ufffd\u6369\u0005\ufffd%\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|Ef\ufffd8\ufffdl\ufffdH\ufffd\u6369\ufffd%qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014E\u0017f\ufffd8\ufffdl\ufffdH\ufffd\u6369\u0005\ufffd%\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014E\u0017f\ufffd8\ufffdl\ufffdH\ufffd\u6369\u0005\ufffd%\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|Ef\ufffd8\ufffdl\ufffdH\ufffd\u6369\ufffd%qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 42, "ssh_auth_burst_rate": 2.8 }
16/06/2026 09:13:02 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Rafale auth MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go \| �03L(x �tj,��L�sqcurve25519-sha256@libssh.o… Émulateur SSH WAF — Recommandation Investiguer Tags net_bruteforce_burst net_ssh_probe ssh_banner ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go \| �03L(x �tj,��L�sqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp… Payload SSH-2.0-Go \| �03L(x �tj,��L�sqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go \|�03L(x �tj,��L�sqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go \| �03L(x �tj,��L�sqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1�rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 908, "payload_entropy": 4.814078453933161, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf99a5926131044aea127ec8e1be9bc67108bd7d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0fd872516910a0e6973b16d12e183da1", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffds\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffds\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffds\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffds\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1\u0000\u0000\u0001\ufffdrsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffds\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af6f05c84f521e54eddcce265b377988aa843166", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffds\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffds\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffdsqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffds\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0003\|\u000b\u0014\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffds\u0000\u0000\u0000qcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\n\|\ufffd03L(x \ufffdtj,\ufffd\ufffdL\ufffdsqcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_bruteforce_burst", "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "ssh_auth_burst": true, "ssh_auth_burst_count": 44, "ssh_auth_burst_rate": 2.93 }

50.114.172.201

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence