{"ip":"51.210.0.2","exported_at":"2026-06-19T17:25:12+00:00","period_days":30,"metrics":{"events7d":92,"distinct_ports":1,"distinct_classifications":3,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":47,"attack_stage":"c2","attack_chain_stage":"command_and_control","threat_family":["botnet"],"recommended_action":"monitor","confidence":0.72,"risk_breakdown":{"waf":8,"classification":62,"behavior":0,"geo":40,"protocol":30,"novelty":15},"mitre_tactics":["TA0011"],"mitre_technique":"TA0011","top_mitre_technique":"TA0007","top_mitre_count":83,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 72 % \u2014 via RTSP","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":62,"behavior":0,"geo":40,"protocol":30,"novelty":15,"risk_score":35},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":72,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Tor Exit Hint","Upstream"],"tags_summary":["INT-TOR-exit-hint","INT-upstream"],"attack_vector":"tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)","protocol_details":{"payload_preview":"OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: Lavf60.16.100","port":554,"service":"rtsp","service_label_fr":"RTSP"},"protocol_summary_fr":"Payload OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\r\nCSeq: \u2026 \u00b7 RTSP:554","evidence_snippet":"OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: Lavf60.16.100","target_port_label":"554 \u00b7 RTSP","emulator_service":"rtsp","confidence_reason":"Confiance 72 % \u2014 3 signal(aux) capteur","classification_reason":"Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%","classification_reason_label_fr":"Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%","confidence_factors_fr":"Confiance 72 % \u2014 Score WAF 8","payload_preview":"OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: Lavf60.16.100"},"events":[{"id":9586606,"ip":"51.210.0.2","ts":"2026-06-18 15:03:36.000000","proto":"tcp","src_port":26108,"dst_port":554,"service":"rtsp","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 95, \u0022payload_entropy\u0022: 5.083976497845983, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ede49e53004f29a4185d68116b64086c80bfc558\u0022, \u0022event_fingerprint\u0022: \u002296ba8353a2e0c3ee9bf071a6762ce711536fe8ff\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022confidence\u0022: 0.72, \u0022classification_confidence\u0022: 0.72, \u0022precision_score\u0022: 80, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 72.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f798875a53250400eef96a5b73d87f8d\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228e55f5bc72f598bc0f7b8a3efa6ba4ece8701f15\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 72 % \u2014 via RTSP\u0022, \u0022confidence_pct\u0022: 72, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 72 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":95},{"id":9586604,"ip":"51.210.0.2","ts":"2026-06-18 15:03:34.000000","proto":"tcp","src_port":26100,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 86, \u0022payload_entropy\u0022: 4.937738377163204, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c70feef3acd3eef48b3e86c83e96243f\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ada362ddce67ae574fe79e85e54d312f60228af\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":86},{"id":9586600,"ip":"51.210.0.2","ts":"2026-06-18 15:03:33.000000","proto":"tcp","src_port":26094,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 98, \u0022payload_entropy\u0022: 5.104370369948427, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221ceb24f2a7e30e68b0e51b6dcbc33ec2\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ccf5ca94d0b1f170d643ac6341d58d1abaccb4a8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":98},{"id":9586599,"ip":"51.210.0.2","ts":"2026-06-18 15:03:32.000000","proto":"tcp","src_port":25980,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 5.0097106907856945, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ff42624e5240fe01b8b0ba3f0bd82cf\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221c8a94d7f36ad073e33cca7a5147476b7c243b9c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9586597,"ip":"51.210.0.2","ts":"2026-06-18 15:03:31.000000","proto":"tcp","src_port":25966,"dst_port":554,"service":"rtsp","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 5.2932141942290265, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ede49e53004f29a4185d68116b64086c80bfc558\u0022, \u0022event_fingerprint\u0022: \u002296ba8353a2e0c3ee9bf071a6762ce711536fe8ff\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022confidence\u0022: 0.72, \u0022classification_confidence\u0022: 0.72, \u0022precision_score\u0022: 80, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 72.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c3c5d2ed787bbdb0ffdfcb271929f7c\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b6cf2789ebaed86156f021e06d0bed8f87722879\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 72 % \u2014 via RTSP\u0022, \u0022confidence_pct\u0022: 72, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 72 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":114},{"id":9586595,"ip":"51.210.0.2","ts":"2026-06-18 15:03:30.000000","proto":"tcp","src_port":25954,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.928797220760338, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ebbf9b2b52ebe222e2c8e07513ff35f4\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d69b33cee4b667350dc0615f49466affc233f415\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9586592,"ip":"51.210.0.2","ts":"2026-06-18 15:03:27.000000","proto":"tcp","src_port":25948,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 97, \u0022payload_entropy\u0022: 5.080590585823266, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b4487d4bb6cf10ea1731eb9e3e6207bf\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223c00690a0d0fd28d851f0bac6e7a08b599f12da0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/profile1\/media.smp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":97},{"id":9586591,"ip":"51.210.0.2","ts":"2026-06-18 15:03:26.000000","proto":"tcp","src_port":25938,"dst_port":554,"service":"rtsp","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 5.2932141942290265, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ede49e53004f29a4185d68116b64086c80bfc558\u0022, \u0022event_fingerprint\u0022: \u002296ba8353a2e0c3ee9bf071a6762ce711536fe8ff\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022confidence\u0022: 0.72, \u0022classification_confidence\u0022: 0.72, \u0022precision_score\u0022: 80, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 72.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c3c5d2ed787bbdb0ffdfcb271929f7c\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b6cf2789ebaed86156f021e06d0bed8f87722879\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 72 % \u2014 via RTSP\u0022, \u0022confidence_pct\u0022: 72, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 72 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":114},{"id":9586590,"ip":"51.210.0.2","ts":"2026-06-18 15:03:25.000000","proto":"tcp","src_port":25912,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 90, \u0022payload_entropy\u0022: 5.0290893130880665, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a593790ed16132adae6de68ef6e043e4\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f20af822498f5c56a52b8dd709a3f4967da5b6d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264_stream RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":90},{"id":9586589,"ip":"51.210.0.2","ts":"2026-06-18 15:03:24.000000","proto":"tcp","src_port":25906,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 85, \u0022payload_entropy\u0022: 5.010639724495571, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a2d55c63b048ed5f79b7af73c746e934\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b743f1356912892dca767557032e3aadb5329abe\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif2 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":85},{"id":9586588,"ip":"51.210.0.2","ts":"2026-06-18 15:03:23.000000","proto":"tcp","src_port":25896,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 83, \u0022payload_entropy\u0022: 4.951678401378039, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225acfae6c06317359f6eea7986360e327\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002214bf971619419bdb9b366480de06381f69d21cdc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":83},{"id":9586586,"ip":"51.210.0.2","ts":"2026-06-18 15:03:21.000000","proto":"tcp","src_port":60940,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 5.0097106907856945, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ff42624e5240fe01b8b0ba3f0bd82cf\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221c8a94d7f36ad073e33cca7a5147476b7c243b9c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/video RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9586584,"ip":"51.210.0.2","ts":"2026-06-18 15:03:20.000000","proto":"tcp","src_port":60930,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 130, \u0022payload_entropy\u0022: 5.307553368016239, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002245aa18c392f4a845c1ec8b9f8e7e5fae\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/user=admin\u0026password=tlJwpbo6\u0026channel=1\u0026stream=0.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/user=admin\u0026password=tlJwpbo6\u0026channel=1\u0026stream=0.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/user=admin\u0026password=tlJwpbo6\u0026channel=1\u0026stream=0.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/user=admin\u0026password=tlJwpbo6\u0026channel=1\u0026stream=0.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/user=admin\u0026password=tlJwpbo6\u0026channel=1\u0026stream=0.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022492976a23c0f3d50491cec4ca4e007293f1a2ac5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/user=admin\u0026password=tlJwpbo6\u0026channel=1\u0026stream=0.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/user=admin\u0026password=tlJwpbo6\u0026channel=1\u0026stream=0.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/user=admin\u0026password=tlJwpbo6\u0026channel=1\u0026stream=0.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/user=admin\u0026password=tlJwpbo6\u0026channel=1\u0026stream=0.sdp RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":130},{"id":9586582,"ip":"51.210.0.2","ts":"2026-06-18 15:03:19.000000","proto":"tcp","src_port":60920,"dst_port":554,"service":"rtsp","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 95, \u0022payload_entropy\u0022: 5.083976497845983, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ede49e53004f29a4185d68116b64086c80bfc558\u0022, \u0022event_fingerprint\u0022: \u002296ba8353a2e0c3ee9bf071a6762ce711536fe8ff\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022confidence\u0022: 0.72, \u0022classification_confidence\u0022: 0.72, \u0022precision_score\u0022: 80, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 72.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f798875a53250400eef96a5b73d87f8d\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228e55f5bc72f598bc0f7b8a3efa6ba4ece8701f15\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 72 % \u2014 via RTSP\u0022, \u0022confidence_pct\u0022: 72, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/\/cam\/realmonitor RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 72 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":95},{"id":9586580,"ip":"51.210.0.2","ts":"2026-06-18 15:03:18.000000","proto":"tcp","src_port":60912,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 83, \u0022payload_entropy\u0022: 4.951678401378039, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225acfae6c06317359f6eea7986360e327\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002214bf971619419bdb9b366480de06381f69d21cdc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":83},{"id":9586577,"ip":"51.210.0.2","ts":"2026-06-18 15:03:17.000000","proto":"tcp","src_port":60908,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 4.919397033720575, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221c8bc9d5b09847509b6c90a9b9dd5d2a\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226eaeaf107668232cd8f65caa7e10c75c94b9537f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":88},{"id":9586574,"ip":"51.210.0.2","ts":"2026-06-18 15:03:16.000000","proto":"tcp","src_port":60892,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 97, \u0022payload_entropy\u0022: 5.060735265422721, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228eb5e2dff0fa44813c79520e76a733b9\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/unicast\/c2\/s2\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/unicast\/c2\/s2\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/unicast\/c2\/s2\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/unicast\/c2\/s2\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/unicast\/c2\/s2\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227218df22f0d0bb9136f623145023d32e847e4a15\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/unicast\/c2\/s2\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/unicast\/c2\/s2\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/unicast\/c2\/s2\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/unicast\/c2\/s2\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":97},{"id":9586571,"ip":"51.210.0.2","ts":"2026-06-18 15:03:15.000000","proto":"tcp","src_port":60882,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 83, \u0022payload_entropy\u0022: 4.975774786920208, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022665d6713227d2a0cb505d2c90c40c9d9\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bb773b1c9071055b8132b7e94779c892ed5c8312\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":83},{"id":9586562,"ip":"51.210.0.2","ts":"2026-06-18 15:03:12.000000","proto":"tcp","src_port":26932,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 90, \u0022payload_entropy\u0022: 5.023642368691698, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229e83680164253a0d2f90560d4c0d7096\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c839dd8a3637a1cfd8a3720c41014ac2cefe39a3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":90},{"id":9586565,"ip":"51.210.0.2","ts":"2026-06-18 15:03:12.000000","proto":"tcp","src_port":60880,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.982750422851285, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002200d50d737e7d74d3fdbfb713c838dc8a\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d366f263ff78bb9d0128565773edc38d9b1ed876\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9586559,"ip":"51.210.0.2","ts":"2026-06-18 15:03:11.000000","proto":"tcp","src_port":26926,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.923268727347122, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c532aff883ea15c65947f77dac768b96\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223114074c9c7f3c35e66be624ade4ffd98f236ff9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9586558,"ip":"51.210.0.2","ts":"2026-06-18 15:03:09.000000","proto":"tcp","src_port":26910,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 5.016321181595357, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ed93d0630ce7e5eb51fc01a08cf4604f\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227fdda4e8d4f06374b584275a95afd5e9a5a733ec\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":88},{"id":9586556,"ip":"51.210.0.2","ts":"2026-06-18 15:03:08.000000","proto":"tcp","src_port":26896,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.928797220760338, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ebbf9b2b52ebe222e2c8e07513ff35f4\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d69b33cee4b667350dc0615f49466affc233f415\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9586554,"ip":"51.210.0.2","ts":"2026-06-18 15:03:06.000000","proto":"tcp","src_port":26890,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 90, \u0022payload_entropy\u0022: 5.04615160812462, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e755c363b97e479b2f8c6e7a39fd05d4\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022231f7b1be9223a57d359c819304028c4eef38736\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":90},{"id":9586549,"ip":"51.210.0.2","ts":"2026-06-18 15:03:04.000000","proto":"tcp","src_port":26886,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 101, \u0022payload_entropy\u0022: 5.044025161197348, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b509dca44135eb8fe6bb1fe927f6fb79\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/102 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/102 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/102 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/102 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/102 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fdac62e6cb70627cb5a523fd70671f07fd0b213c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/102 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/102 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/102 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/102 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":101},{"id":9586545,"ip":"51.210.0.2","ts":"2026-06-18 15:03:02.000000","proto":"tcp","src_port":61110,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 83, \u0022payload_entropy\u0022: 4.951678401378039, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225acfae6c06317359f6eea7986360e327\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002214bf971619419bdb9b366480de06381f69d21cdc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":83},{"id":9586541,"ip":"51.210.0.2","ts":"2026-06-18 15:02:59.000000","proto":"tcp","src_port":61102,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 90, \u0022payload_entropy\u0022: 5.023642368691698, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229e83680164253a0d2f90560d4c0d7096\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c839dd8a3637a1cfd8a3720c41014ac2cefe39a3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/live\/ch00_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":90},{"id":9586540,"ip":"51.210.0.2","ts":"2026-06-18 15:02:56.000000","proto":"tcp","src_port":61090,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.928797220760338, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ebbf9b2b52ebe222e2c8e07513ff35f4\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d69b33cee4b667350dc0615f49466affc233f415\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/av0_0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9586533,"ip":"51.210.0.2","ts":"2026-06-18 15:02:52.000000","proto":"tcp","src_port":30840,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 86, \u0022payload_entropy\u0022: 4.937738377163204, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c70feef3acd3eef48b3e86c83e96243f\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ada362ddce67ae574fe79e85e54d312f60228af\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":86},{"id":9586528,"ip":"51.210.0.2","ts":"2026-06-18 15:02:49.000000","proto":"tcp","src_port":30806,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 85, \u0022payload_entropy\u0022: 4.991702777737491, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f1ebeeb4ec44914c29c2a239fd18510b\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d2b833182831dc8f0016ac197fc7d3f7564f46b2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/onvif1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":85},{"id":9586525,"ip":"51.210.0.2","ts":"2026-06-18 15:02:46.000000","proto":"tcp","src_port":30772,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 98, \u0022payload_entropy\u0022: 5.104370369948427, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221ceb24f2a7e30e68b0e51b6dcbc33ec2\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ccf5ca94d0b1f170d643ac6341d58d1abaccb4a8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/h264Preview_01_main RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":98},{"id":9586522,"ip":"51.210.0.2","ts":"2026-06-18 15:02:41.000000","proto":"tcp","src_port":20642,"dst_port":554,"service":"rtsp","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 5.2932141942290265, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ede49e53004f29a4185d68116b64086c80bfc558\u0022, \u0022event_fingerprint\u0022: \u002296ba8353a2e0c3ee9bf071a6762ce711536fe8ff\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022confidence\u0022: 0.72, \u0022classification_confidence\u0022: 0.72, \u0022precision_score\u0022: 80, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 72.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c3c5d2ed787bbdb0ffdfcb271929f7c\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b6cf2789ebaed86156f021e06d0bed8f87722879\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 72 % \u2014 via RTSP\u0022, \u0022confidence_pct\u0022: 72, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 72 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":114},{"id":9586516,"ip":"51.210.0.2","ts":"2026-06-18 15:02:39.000000","proto":"tcp","src_port":20634,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 79, \u0022payload_entropy\u0022: 4.900061090081141, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228bf317a0a8524b4b7022e6774105a2a6\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220069c67a7504c57b5eca7421fdeebd26e4557710\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":79},{"id":9586515,"ip":"51.210.0.2","ts":"2026-06-18 15:02:38.000000","proto":"tcp","src_port":20624,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 78, \u0022payload_entropy\u0022: 4.905290161275783, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e1e92af167ca2cdedf4614fa66989420\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227d6009af36968587e8ef4d8b30c2051908903023\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":78},{"id":9586514,"ip":"51.210.0.2","ts":"2026-06-18 15:02:36.000000","proto":"tcp","src_port":20604,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 89, \u0022payload_entropy\u0022: 4.933034274268111, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da4efce29e738b19e6a1514610889a02\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/ch01.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/ch01.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/ch01.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/ch01.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/ch01.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c052895cd9bf3821b43a6d73a2393170f7aef7ba\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/ch01.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/ch01.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/ch01.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/ch01.264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":89},{"id":9586513,"ip":"51.210.0.2","ts":"2026-06-18 15:02:35.000000","proto":"tcp","src_port":20590,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 80, \u0022payload_entropy\u0022: 4.890634426587137, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220ffdd962f72e060eadf81b6804ea1d14\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ff9df1b1057a91e68d82cc7c91299f2dd267df0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":80},{"id":9586510,"ip":"51.210.0.2","ts":"2026-06-18 15:02:33.000000","proto":"tcp","src_port":20588,"dst_port":554,"service":"rtsp","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 5.2932141942290265, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ede49e53004f29a4185d68116b64086c80bfc558\u0022, \u0022event_fingerprint\u0022: \u002296ba8353a2e0c3ee9bf071a6762ce711536fe8ff\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022confidence\u0022: 0.72, \u0022classification_confidence\u0022: 0.72, \u0022precision_score\u0022: 80, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 72.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c3c5d2ed787bbdb0ffdfcb271929f7c\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b6cf2789ebaed86156f021e06d0bed8f87722879\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 72 % \u2014 via RTSP\u0022, \u0022confidence_pct\u0022: 72, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 72 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":114},{"id":9586505,"ip":"51.210.0.2","ts":"2026-06-18 15:02:28.000000","proto":"tcp","src_port":26528,"dst_port":554,"service":"rtsp","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 5.2932141942290265, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ede49e53004f29a4185d68116b64086c80bfc558\u0022, \u0022event_fingerprint\u0022: \u002296ba8353a2e0c3ee9bf071a6762ce711536fe8ff\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022confidence\u0022: 0.72, \u0022classification_confidence\u0022: 0.72, \u0022precision_score\u0022: 80, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 72.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c3c5d2ed787bbdb0ffdfcb271929f7c\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b6cf2789ebaed86156f021e06d0bed8f87722879\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 72%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 72 % \u2014 via RTSP\u0022, \u0022confidence_pct\u0022: 72, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via RTSP:554 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/cam\/realmonitor?channel=1\u0026subtype=0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 72 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 72 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_tor_exit_probe\u0022, \u0022rtsp_probe\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":114},{"id":9586504,"ip":"51.210.0.2","ts":"2026-06-18 15:02:26.000000","proto":"tcp","src_port":26498,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 101, \u0022payload_entropy\u0022: 5.02521194803012, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228a90ee5c46af584c239a1882419851ed\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220a0ccbdce174c82cd2601f84b9504fa937135f82\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/Streaming\/Channels\/101 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":101},{"id":9586502,"ip":"51.210.0.2","ts":"2026-06-18 15:02:25.000000","proto":"tcp","src_port":26494,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.923268727347122, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c532aff883ea15c65947f77dac768b96\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223114074c9c7f3c35e66be624ade4ffd98f236ff9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1.AMP RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9586501,"ip":"51.210.0.2","ts":"2026-06-18 15:02:24.000000","proto":"tcp","src_port":26490,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 80, \u0022payload_entropy\u0022: 4.890634426587137, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220ffdd962f72e060eadf81b6804ea1d14\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ff9df1b1057a91e68d82cc7c91299f2dd267df0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":80},{"id":9586498,"ip":"51.210.0.2","ts":"2026-06-18 15:02:21.000000","proto":"tcp","src_port":39052,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 81, \u0022payload_entropy\u0022: 4.878076817774645, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225ad14aa2df15dbae96b7075995f1aa10\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225c1cfa89b116a017b110e38e2385faa1960ee6c7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/11 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":81},{"id":9586496,"ip":"51.210.0.2","ts":"2026-06-18 15:02:20.000000","proto":"tcp","src_port":39036,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 4.919397033720575, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221c8bc9d5b09847509b6c90a9b9dd5d2a\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226eaeaf107668232cd8f65caa7e10c75c94b9537f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/stream1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":88},{"id":9586492,"ip":"51.210.0.2","ts":"2026-06-18 15:02:18.000000","proto":"tcp","src_port":39024,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 80, \u0022payload_entropy\u0022: 4.890634426587137, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220ffdd962f72e060eadf81b6804ea1d14\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ff9df1b1057a91e68d82cc7c91299f2dd267df0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":80},{"id":9586490,"ip":"51.210.0.2","ts":"2026-06-18 15:02:13.000000","proto":"tcp","src_port":39004,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 4.961812869298426, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220bd900841a2e336db60f0f99eaa6ea58\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01.h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01.h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01.h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01.h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01.h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dc30fc16a3b28953fa0b743ba44c1f1532211ccd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01.h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01.h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01.h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01.h264 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":88},{"id":9586488,"ip":"51.210.0.2","ts":"2026-06-18 15:02:12.000000","proto":"tcp","src_port":38990,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 80, \u0022payload_entropy\u0022: 4.890634426587137, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220ffdd962f72e060eadf81b6804ea1d14\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ff9df1b1057a91e68d82cc7c91299f2dd267df0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":80},{"id":9586480,"ip":"51.210.0.2","ts":"2026-06-18 15:02:08.000000","proto":"tcp","src_port":21212,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 85, \u0022payload_entropy\u0022: 4.925214725332748, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c6e66a62745d965ca8de5b280b91aa1a\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01\/0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01\/0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01\/0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01\/0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01\/0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ca3d949b299c68ef7332d31e6446d8fc859ba5a6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01\/0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01\/0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01\/0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch01\/0 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":85},{"id":9586476,"ip":"51.210.0.2","ts":"2026-06-18 15:02:07.000000","proto":"tcp","src_port":21202,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 90, \u0022payload_entropy\u0022: 5.04615160812462, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e755c363b97e479b2f8c6e7a39fd05d4\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022231f7b1be9223a57d359c819304028c4eef38736\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":90},{"id":9586474,"ip":"51.210.0.2","ts":"2026-06-18 15:02:06.000000","proto":"tcp","src_port":21200,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.982750422851285, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002200d50d737e7d74d3fdbfb713c838dc8a\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d366f263ff78bb9d0128565773edc38d9b1ed876\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/ch0_1 RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":84},{"id":9586471,"ip":"51.210.0.2","ts":"2026-06-18 15:02:02.000000","proto":"tcp","src_port":28666,"dst_port":554,"service":"rtsp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a\u0022, \u0022emulator_response_len\u0022: 63, \u0022bytes_in\u0022: 90, \u0022payload_entropy\u0022: 5.04615160812462, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022rtsp\u0022, \u0022app_proto\u0022: \u0022rtsp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022FR\u0022, \u0022dst_port\u0022: 554, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c612347518e049ce96c448df76dc171f725494ef\u0022, \u0022event_fingerprint\u0022: \u0022ce3db5ba4bd31f163b31f656bd467795f2c32ce9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022FR\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e755c363b97e479b2f8c6e7a39fd05d4\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022231f7b1be9223a57d359c819304028c4eef38736\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022, \u0022dst_port\u0022: 554, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022port\u0022: 554, \u0022service\u0022: \u0022rtsp\u0022, \u0022service_label_fr\u0022: \u0022RTSP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via RTSP:554 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/62.3.50.33:554\/1\/h264major RTSP\/1.0\\r\\nCSeq: 1\\r\\nUser-Agent: Lavf60.16.100\u0022, \u0022target_port_label\u0022: \u0022554 \u00b7 RTSP\u0022, \u0022emulator_service\u0022: \u0022rtsp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rtsp\u0022, \u0022service_banner\u0022: \u0022honeypot-rtsp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022554\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rtsp_probe\u0022, \u0022rtsp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":90}],"total_events":92}