Renseignement sur les menaces

Australie

51.161.198.228

FAI OVH SAS Première vue 05/06/2026 10:58 UTC Dernière vue 18/06/2026 03:44 UTC Risque Moyen

Période analysée : 2026-06-11 → 2026-06-18

Activité suspecte · risque 43/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 43/100 Moyen

Première observation 05/06/2026 10:58 UTC

Dernière observation 18/06/2026 03:44 UTC

Événements (période) 2

MITRE ATT&CK principal TA0007 2 occurrences

Activité suspecte · risque 43/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Tags WAF: nosqli-3, k8s-api · confiance 50%

Confiance 58 % — Score WAF 48 · Bonus corrélation +8 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 16276 · 51.161.128.0/17 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 2 événements sur la période pour cette IP.

51.178.73.165 socks5 probe 18/06/2026 13:15 UTC
72.251.8.119 Sonde port 18/06/2026 12:46 UTC
51.178.92.167 socks5 probe 18/06/2026 10:37 UTC
198.50.239.95 Cross-site scripting 18/06/2026 04:26 UTC
51.210.32.63 socks5 probe 18/06/2026 03:21 UTC
54.38.65.111 Tentative d'exploit 18/06/2026 01:45 UTC
51.91.218.210 socks5 probe 18/06/2026 00:16 UTC
51.178.75.69 socks5 probe 17/06/2026 22:17 UTC

Événements (filtres)

Première observation

05/06/2026 10:58 UTC

Dernière observation

18/06/2026 03:44 UTC

Dernière activité (filtres)

18/06/2026 03:44 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 1 OLLAMA TCP 1

HTTP

OLLAMA

Géolocalisation

Origine réseau déclarée

Australie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

OVH SAS 0 Port 11434 ollama

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

probe api · via HTTP:11434 · (sonde / probe) · → /api/tags

Détails protocole

Méthode: GET
Chemin: /api/tags
User-Agent: Mozilla/5.0

Aperçu payload

GET /api/tags HTTP/1.1 User-Agent: Mozilla/5.0 Accept: application/json Host: 62.3.50.33:11434 Connection: keep-alive

Port / service

11434 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 50 % — 2 tag(s) WAF

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

Upstream Waf Score

Confiance

58% Corrélation +8

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

2 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

2 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 03:44:04 UTC	TCP	11434 · HTTP	http	probe api probe api · via HTTP:11434 · (sonde / probe) · → /api/tags	Élevée	Moyen · 43
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /api/tags UA Mozilla/5.0 Émulateur HTTP WAF 10 Recommandation Surveiller Tags 950468:nosqli-3 950600:k8s-api http_probe_api net_web_probe Cible HTTP GET /api/tags TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11434 Chemin / cible /api/tags Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3, k8s-api · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 43 Confiance : Confiance 50 % — 2 tag(s) WAF Protocole émulé 1 Signaux Upstream Waf Score Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /api/tags HTTP/1.1` User-Agent Mozilla/5.0 Règles WAF nosqli-3 k8s-api Payload (extrait) GET /api/tags HTTP/1.1 User-Agent: Mozilla/5.0 Accept: application/json Host: 62.3.50.33:11434 Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "82aa6a482bd276cff149740478a603a5fe834840", "http_host_hash": "0edcf6ab7022a3c1a90b1ad0670bd95a56782eca", "http_target_hash": "cde412588e4eb9223c5fe3ed29cd50624af6b3d6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 125, "payload_entropy": 4.9743992135506545, "port_category": "registered", "org": "OVH SAS", "service": "http", "app_proto": "http", "asn": 16276, "country": "AU", "dst_port": 11434, "risk_waf": 48, "risk_classification": 40, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 48, "classification": 40, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 43, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ab5c1b81ebe6962e79c6ddc425633b17848bd09d", "event_fingerprint": "82dcc02e1209245830c20f2a6305862634bfe888", "classification_reason": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 48, "classification": 40, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "AU", "asn": 16276, "org": "OVH SAS", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1066b48224bb188ceb955605f4fcff98", "payload_hash": "25367ce8864bd49d2b5ad2d0d1000a53", "path_pattern_hash": "0b9689ff0de7d3cfbe6f81aa48fb9f18" }, "target_context": { "dst_port": 11434, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/api\/tags HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0\r\nAccept: application\/json\r\nHost: 62.3.50.33:11434\r\nConnection: keep-alive\r\n\r\n", "method": "GET", "path": "\/api\/tags", "user_agent": "Mozilla\/5.0", "waf_tags": [ "950468:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/tags HTTP\/1.1", "request_sample": "GET \/api\/tags HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0\r\nAccept: application\/json\r\nHost: 62.3.50.33:11434\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/api\/tags HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0\r\nAccept: application\/json\r\nHost: 62.3.50.33:11434\r\nConnection: keep-alive", "evidence": { "method": "GET", "path": "\/api\/tags", "user_agent": "Mozilla\/5.0", "waf_tags": [ "950468:nosqli-3", "950600:k8s-api" ], "waf_rule_names": [ "nosqli-3", "k8s-api" ], "request_line": "GET \/api\/tags HTTP\/1.1", "request_sample": "GET \/api\/tags HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0\r\nAccept: application\/json\r\nHost: 62.3.50.33:11434\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/api\/tags HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0\r\nAccept: application\/json\r\nHost: 62.3.50.33:11434\r\nConnection: keep-alive", "classification_reason": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e7ad6a1531d7dd8146adb376a9a94bccc577396e", "protocol_details": { "http_method": "GET", "http_path": "\/api\/tags", "request_line": "GET \/api\/tags HTTP\/1.1", "http_user_agent": "Mozilla\/5.0", "port": 11434, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/tags HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0\r\nAccept: application\/json\r\nHost: 62.3.50.33:11434\r\nConnection: keep-alive", "attack_vector": "probe api \u00b7 via HTTP:11434 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/api\/tags", "target_port_label": "11434 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 50%", "classification_reason_label_fr": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 43\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 48, "classification": 40, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 11434, "protocol_emulated": true, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/tags", "request_line": "GET \/api\/tags HTTP\/1.1", "http_user_agent": "Mozilla\/5.0", "port": 11434, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "probe api \u00b7 via HTTP:11434 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/api\/tags", "evidence_snippet": "GET \/api\/tags HTTP\/1.1\r\nUser-Agent: Mozilla\/5.0\r\nAccept: application\/json\r\nHost: 62.3.50.33:11434\r\nConnection: keep-alive", "target_port_label": "11434 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 48 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "11434" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "ollama" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950468:nosqli-3", "950600:k8s-api", "http_probe_api", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 03:44:02 UTC	TCP	11434 · OLLAMA	ollama	ollama ollama · via OLLAMA:11434 · (sonde / probe)	Faible	Faible · 2
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur OLLAMA WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 11434 Chemin / cible — Service OLLAMA Pourquoi cette classification : Type « ollama » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 2 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "OVH SAS", "service": "ollama", "app_proto": "ollama", "asn": 16276, "country": "AU", "dst_port": 11434, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 2, "tag_count": 0, "anomaly_count": 0, "campaign_key": "56ce308fbc546a6c4823036bb462dd39e8ce68df", "event_fingerprint": "e5de7378bdf0b23e311530c009ea1c8bba9f0677", "classification_reason": "Type \u00ab ollama \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 2 }, "named_classification_skipped": false, "service_name": "ollama", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "AU", "asn": 16276, "org": "OVH SAS", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "76e3c7bfe641ea125c0c2e1c5f89349e" }, "target_context": { "dst_port": 11434, "service": "ollama", "service_name": "ollama", "risk_score": 2 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e348a92dd4edbd09ec32574749e9ab35e87981c", "protocol_details": { "port": 11434, "service": "ollama", "service_label_fr": "OLLAMA" }, "attack_vector": "ollama \u00b7 via OLLAMA:11434 \u00b7 (sonde \/ probe)", "target_port_label": "11434 \u00b7 OLLAMA", "emulator_service": "ollama", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab ollama \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab ollama \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 2 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 2, "risk_label": "Faible", "service_name": "ollama", "service_label_fr": "OLLAMA", "dst_port": 11434, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ollama", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 11434, "service": "ollama", "service_label_fr": "OLLAMA" }, "attack_vector": "ollama \u00b7 via OLLAMA:11434 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "11434 \u00b7 OLLAMA", "emulator_service": "ollama", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ollama", "service_banner": "honeypot-ollama", "service_os": "linux", "dst_port": "11434" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

51.161.198.228

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

51.161.198.228

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence