|
|
TCP |
2082 · CPANEL
|
cpanel
|
Scan de ports
port scan syn · via CPANEL:2082 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
CPANEL
WAF
—
Recommandation
Surveiller
Tags
cpanel_emulated
net_cpanel_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +18
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "cpanel",
"app_proto": "cpanel",
"asn": 16509,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3fd7ce0c7488204fefb3517534e11698439a8072",
"event_fingerprint": "2ba81f55f1429aafe8b166faf2b84499ed62bf27",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 18
},
"named_classification_skipped": false,
"service_name": "cpanel",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 2082,
"service": "cpanel",
"service_name": "cpanel",
"risk_score": 42
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "92f1d25306f2e7522abcca09e7991ff7bb19360a",
"protocol_details": {
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "port scan syn \u00b7 via CPANEL:2082 \u00b7 (reconnaissance)",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL \u2014 multi-protocole (4 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 18
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "cpanel",
"service_label_fr": "CPANEL",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +18",
"protocol_details": {
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "port scan syn \u00b7 via CPANEL:2082 \u00b7 (reconnaissance)",
"evidence_snippet": null,
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel",
"service_banner": "honeypot-cpanel",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 4,
"port_scan_ports_sample": [
2078,
2082,
2083,
2086
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 4,
"scan_velocity_ports_per_s": 40,
"multi_protocol_correlation": true,
"multi_protocol_count": 4,
"multi_protocol_sample": [
"cpanel",
"cpanel-ssl",
"port:2078",
"port:2086"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 18,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_emulated",
"net_cpanel_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2095
|
—
|
Scan de ports
port scan syn · port 2095 · (reconnaissance)
|
Faible
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2095
Chemin / cible
—
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +18
Risque capteur
Moyen
· 42
Confiance : Confiance élevée (100 %) — signaux convergents
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": null,
"app_proto": null,
"asn": 16509,
"country": "US",
"dst_port": 2095,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 42,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "71fde937e85a7f9549deacf18c1a305f326580ab",
"event_fingerprint": "beb69de90685708107478fb51eb34bd128b33d3d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 18
},
"named_classification_skipped": false,
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 2095,
"risk_score": 42
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "365d8b4b7a0fc9321cebe5df753160431fb29fe1",
"protocol_details": {
"port": 2095
},
"attack_vector": "port scan syn \u00b7 port 2095 \u00b7 (reconnaissance)",
"target_port_label": "2095",
"confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (5 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 18
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 2095,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +18",
"protocol_details": {
"port": 2095
},
"attack_vector": "port scan syn \u00b7 port 2095 \u00b7 (reconnaissance)",
"evidence_snippet": null,
"target_port_label": "2095",
"emulator_service": null,
"confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "2095"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
2078,
2082,
2083,
2086,
2095
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 5,
"scan_velocity_ports_per_s": 50,
"multi_protocol_correlation": true,
"multi_protocol_count": 5,
"multi_protocol_sample": [
"cpanel",
"cpanel-ssl",
"port:2078",
"port:2086",
"port:2095"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 18,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
|
|
|
TCP |
2082 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:2082 · (reconnaissance) · → /.git/HEAD
|
Élevée
|
Élevé · 65
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /.git/HEAD UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/…
Émulateur
HTTP
WAF
33
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/.git/HEAD
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2082
Chemin / cible
/.git/HEAD
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +18
Risque capteur
Élevé
· 65
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
ET .git HEAD
LFI Double-dot bypass
Probe /.git/HEAD
Ligne de requête
GET /.git/HEAD HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Règles WAF
rce-0
ssrf-3
nosqli-3
leak-0
Payload (extrait)
GET /.git/HEAD HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h
Requête brute (extrait)
GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "git\/head",
"http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065",
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "a5bdb37ad3aa5fc1e8e58237e6cb768f00ae6952",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 178,
"payload_entropy": 5.116674927683735,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 2082,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 65,
"tag_count": 10,
"anomaly_count": 0,
"campaign_key": "ab0888b6bc9d61c73c49a05e44cb2286b3a0ee76",
"event_fingerprint": "7ed8cfcfbc9a01ca5eb2646636f688e51c0eb129",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0749",
"pat-0103",
"pat-0197"
],
"matched_pattern_names": [
"ET .git HEAD",
"LFI Double-dot bypass",
"Probe \/.git\/HEAD"
],
"pattern_ids": [
"pat-0749",
"pat-0103",
"pat-0197"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 65,
"correlation_boost": 18
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f",
"payload_hash": "3f4bc04ade87552cc876c8c62aac76a7",
"path_pattern_hash": "353579f4025217f1143d65b4213aaffa"
},
"target_context": {
"dst_port": 2082,
"service": "http",
"service_name": "http",
"risk_score": 65
},
"payload_preview": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h",
"method": "GET",
"path": "\/.git\/HEAD",
"user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/HEAD HTTP\/1.1",
"request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h",
"evidence": {
"method": "GET",
"path": "\/.git\/HEAD",
"user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/HEAD HTTP\/1.1",
"request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c5fb9041ae43f29daa6ac124ea5a398593c19aa0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/HEAD",
"request_line": "GET \/.git\/HEAD HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h",
"attack_vector": "port scan syn \u00b7 via HTTP:2082 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (6 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 65,
"correlation_boost": 18
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 65,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +18",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/HEAD",
"request_line": "GET \/.git\/HEAD HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:2082 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD",
"evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 5,
"port_scan_ports_sample": [
2078,
2082,
2083,
2086,
2095
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 5,
"scan_velocity_ports_per_s": 33.66,
"multi_protocol_correlation": true,
"multi_protocol_count": 6,
"multi_protocol_sample": [
"cpanel",
"cpanel-ssl",
"http",
"port:2078",
"port:2086",
"port:2095"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 18,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_git",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|