Détails IP 54.88.163.67

Synthèse exécutive

Profil de menace

Score de risque 45/100 Moyen

Première observation 05/06/2026 22:02 UTC

Dernière observation 07/06/2026 22:17 UTC

Événements (période) 23

MITRE ATT&CK principal TA0007 8 occurrences

Activité suspecte

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « lpd » (signaux protocolaires) · confiance 0%

Confiance 8 % — Score WAF 8 · Bonus corrélation +8

Comparaison ASN / FAI

ASN 16509 · 54.80.0.0/12 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 23 événements sur la période pour cette IP.

18.97.5.31 Tentative d'exploit 07/06/2026 22:25 UTC
3.145.140.138 Sonde PostgreSQL 07/06/2026 22:15 UTC
18.223.23.153 Sonde PostgreSQL 07/06/2026 21:58 UTC
18.225.112.125 Sonde PostgreSQL 07/06/2026 20:30 UTC
18.218.178.11 Sonde PostgreSQL 07/06/2026 20:27 UTC
18.217.170.22 Sonde PostgreSQL 07/06/2026 19:57 UTC
18.118.107.104 Sonde PostgreSQL 07/06/2026 19:55 UTC
18.188.2.55 Sonde PostgreSQL 07/06/2026 19:52 UTC

Événements (filtres)

Première observation

05/06/2026 22:02 UTC

Dernière observation

07/06/2026 22:17 UTC

Dernière activité (filtres)

07/06/2026 22:17 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

IRC TCP 9 SAP Diag TCP 4 EPMD TCP 2 WEBLOGIC TCP 2 GOPHER TCP 2 IRCS TCP 2 LPD TCP 2

IRC

SAP Diag

EPMD

WEBLOGIC

GOPHER

IRCS

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Amazon.com, Inc. 0 Port 515 lpd

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

lpd · via LPD:515 · (sonde / probe)

Détails protocole

Aperçu payload

networkscan

Port / service

515 · LPD

Service émulé

LPD

Raison confiance

Confiance faible (0 %) — classification prudente

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Confiance

8% Corrélation +8

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

23 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

23 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
07/06/2026 22:17:19 UTC	TCP	515 · LPD	lpd	lpd lpd · via LPD:515 · (sonde / probe)	Faible	Faible · 1
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur LPD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 515 Chemin / cible — Service LPD Payload networkscan Pourquoi cette classification : Type « lpd » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 1 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206c706420726561647920706f72743d3531350d0a", "emulator_response_len": 33, "bytes_in": 13, "payload_entropy": 3.5465935642949384, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "lpd", "app_proto": "lpd", "asn": 14618, "country": "US", "dst_port": 515, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 1, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4fe2a5980ed711910f8d59416d28e6ba0238e0fc", "event_fingerprint": "a19fd83a9856f1c122b80b6c10e618dae1ce3474", "classification_reason": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "lpd", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fa24e2ea0755ee07c26826db859cbad1", "path_pattern_hash": "ebe4a1b422624ccc71016f86c2a12169" }, "target_context": { "dst_port": 515, "service": "lpd", "service_name": "lpd", "risk_score": 1 }, "payload_preview": "\u0003networkscan\n", "request_sample": "\u0003networkscan\n", "payload_snippet": "\u0003networkscan", "evidence": { "request_sample": "\u0003networkscan\n", "payload_snippet": "\u0003networkscan", "classification_reason": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d47e72228bb6d8cf4ce410d7fdc91e5ac4190fea", "protocol_details": { "payload_preview": "\u0003networkscan", "port": 515, "service": "lpd", "service_label_fr": "LPD" }, "evidence_snippet": "networkscan", "attack_vector": "lpd \u00b7 via LPD:515 \u00b7 (sonde \/ probe)", "target_port_label": "515 \u00b7 LPD", "emulator_service": "lpd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 1, "risk_label": "Faible", "service_name": "lpd", "service_label_fr": "LPD", "dst_port": 515, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-lpd", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0003networkscan", "port": 515, "service": "lpd", "service_label_fr": "LPD" }, "attack_vector": "lpd \u00b7 via LPD:515 \u00b7 (sonde \/ probe)", "evidence_snippet": "networkscan", "target_port_label": "515 \u00b7 LPD", "emulator_service": "lpd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "lpd", "service_banner": "honeypot-lpd", "service_os": "linux", "dst_port": "515" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 6, "multi_protocol_sample": [ "epmd", "gopher", "irc", "ircs", "lpd", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
07/06/2026 22:15:53 UTC	TCP	70 · GOPHER	gopher	Scan de ports port scan syn · via GOPHER:70 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur GOPHER WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 70 Chemin / cible — Service GOPHER Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "6957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a", "emulator_response_len": 39, "bytes_in": 2, "payload_entropy": 1, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "gopher", "app_proto": "gopher", "asn": 14618, "country": "US", "dst_port": 70, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "7de9773556d61cd035254f140e77d1a6710f3f0c", "event_fingerprint": "6fd84d2a15eac085f88e04a17911c43e5059e0f8", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "gopher", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7eb70257593da06f682a3ddda54a9d26", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 70, "service": "gopher", "service_name": "gopher", "risk_score": 42 }, "payload_preview": "\r\n", "request_sample": "\r\n", "evidence": { "request_sample": "\r\n", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "acbd97c326cbe019da9007dc0f104a612d73398a", "protocol_details": { "port": 70, "service": "gopher", "service_label_fr": "GOPHER" }, "attack_vector": "port scan syn \u00b7 via GOPHER:70 \u00b7 (reconnaissance)", "target_port_label": "70 \u00b7 GOPHER", "emulator_service": "gopher", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via GOPHER \u2014 multi-protocole (5 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "gopher", "service_label_fr": "GOPHER", "dst_port": 70, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-gopher", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 70, "service": "gopher", "service_label_fr": "GOPHER" }, "attack_vector": "port scan syn \u00b7 via GOPHER:70 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "70 \u00b7 GOPHER", "emulator_service": "gopher", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "gopher", "service_banner": "honeypot-gopher", "service_os": "linux", "dst_port": "70" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 5, "multi_protocol_sample": [ "epmd", "gopher", "irc", "ircs", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
07/06/2026 22:15:19 UTC	TCP	6697 · IRCS	ircs	Scan de ports port scan syn · via IRCS:6697 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur IRCS WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6697 Chemin / cible — Service IRCS Payload NICK networkscanfp USER networkscanfp 0 * :networkscan Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) IRC NICK User-Agent — Règles WAF — Payload (extrait) NICK networkscanfp USER networkscanfp 0 * :networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 57, "payload_entropy": 4.465988207178161, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "ircs", "app_proto": "ircs", "asn": 14618, "country": "US", "dst_port": 6697, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "ddc25c9077aa0e3cc29d57fcf65816e98f9ef8f4", "event_fingerprint": "340c1906880be7ec4566f799fa962d987f0be7ca", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0529" ], "matched_pattern_names": [ "IRC NICK" ], "pattern_ids": [ "pat-0529" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "ircs", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0404b7509e014c4edc31542d095f75d3", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6697, "service": "ircs", "service_name": "ircs", "risk_score": 42 }, "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "evidence": { "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0fe197c2c944f4d390f3ea3b7bab1cd759fe9cf3", "protocol_details": { "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "port": 6697, "service": "ircs", "service_label_fr": "IRCS" }, "evidence_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "attack_vector": "port scan syn \u00b7 via IRCS:6697 \u00b7 (reconnaissance)", "target_port_label": "6697 \u00b7 IRCS", "emulator_service": "ircs", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via IRCS \u2014 multi-protocole (4 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ircs", "service_label_fr": "IRCS", "dst_port": 6697, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ircs", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "port": 6697, "service": "ircs", "service_label_fr": "IRCS" }, "attack_vector": "port scan syn \u00b7 via IRCS:6697 \u00b7 (reconnaissance)", "evidence_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "target_port_label": "6697 \u00b7 IRCS", "emulator_service": "ircs", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ircs", "service_banner": "honeypot-ircs", "service_os": "linux", "dst_port": "6697" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 4, "multi_protocol_sample": [ "epmd", "irc", "ircs", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
07/06/2026 22:15:14 UTC	TCP	6667 · IRC	irc	irc probe irc probe · via IRC:6667 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur IRC WAF — Recommandation Surveiller Tags botnet_c2 irc_c2_probe irc_emulated irc_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6667 Chemin / cible — Service IRC Payload NICK networkscanfp USER networkscanfp 0 * :networkscan Pourquoi cette classification : Type « irc_probe » (signaux protocolaires) · confiance 66% Confiance classification 74% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 66 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0529 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) IRC NICK User-Agent — Règles WAF — Payload (extrait) NICK networkscanfp USER networkscanfp 0 * :networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 57, "payload_entropy": 4.465988207178161, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "irc", "app_proto": "irc", "asn": 14618, "country": "US", "dst_port": 6667, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10 }, "risk_score": 45, "tag_count": 5, "anomaly_count": 0, "campaign_key": "99f4ac5b91fbb8410df9d214855df0d0e02c8f03", "event_fingerprint": "9e2ac318555e178ff4e9bfc08626bc39d4f21eec", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "confidence": 0.74, "classification_confidence": 0.74, "precision_score": 73, "precision_signals": [ "pat-0529", "INT-upstream" ], "kb_rule_ids": [ "pat-0529", "INT-upstream" ], "matched_patterns": [ "pat-0529" ], "matched_pattern_names": [ "IRC NICK" ], "pattern_ids": [ "pat-0529" ], "confidence_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "irc", "risk_confidence_factor": 66, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0404b7509e014c4edc31542d095f75d3", "path_pattern_hash": "744abe26e51e9cc67ce7db92019436c3" }, "target_context": { "dst_port": 6667, "service": "irc", "service_name": "irc", "risk_score": 45 }, "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "evidence": { "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7be22b9b01b50821ff396908ed6b2548d45c3bdf", "protocol_details": { "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "port": 6667, "service": "irc", "service_label_fr": "IRC" }, "evidence_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "attack_vector": "irc probe \u00b7 via IRC:6667 \u00b7 (sonde \/ probe)", "target_port_label": "6667 \u00b7 IRC", "emulator_service": "irc", "confidence_reason": "Confiance 66 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "classification_reason_label_fr": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 74, "confidence_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "irc", "service_label_fr": "IRC", "dst_port": 6667, "protocol_emulated": true, "tags_summary": [ "pat-0529", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0529", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-irc", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "port": 6667, "service": "irc", "service_label_fr": "IRC" }, "attack_vector": "irc probe \u00b7 via IRC:6667 \u00b7 (sonde \/ probe)", "evidence_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "target_port_label": "6667 \u00b7 IRC", "emulator_service": "irc", "confidence_reason": "Confiance 66 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "irc", "service_banner": "honeypot-irc", "service_os": "linux", "dst_port": "6667" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "epmd", "irc", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "botnet_c2", "irc_c2_probe", "irc_emulated", "irc_payload", "net_irc_probe" ], "asn_dc_heuristic": true }
07/06/2026 22:14:28 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 14
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload n Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 14 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) n Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 14618, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 14, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 14, "correlation_boost": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "76fae3c085bb43bf34b254b13bd8d00d", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 14 }, "payload_preview": "\u0000\u0001n", "request_sample": "\u0000\u0001n", "payload_snippet": "\u0000\u0001n", "evidence": { "request_sample": "\u0000\u0001n", "payload_snippet": "\u0000\u0001n", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "559c3d5270361df399d08cf6f4c93bb6f6e23c67", "protocol_details": { "payload_preview": "\u0000\u0001n", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "n", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 14, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 14, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0000\u0001n", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "n", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "epmd", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
07/06/2026 22:13:33 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload t3 12.2.1 AS:255 HL:19 MS:10000000 Pourquoi cette classification : Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 2 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.2.1 AS:255 HL:19 MS:10000000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 36, "payload_entropy": 3.648511114409896, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "weblogic", "app_proto": "weblogic", "asn": 14618, "country": "US", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 33, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3209cb76d7a9ac3a6e65d8bcbb4694715e457ed2", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c774fdf36465e0ff86b6cbcdac011d2c", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3" }, "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_preview": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\n\n", "request_sample": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\n\n", "payload_snippet": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "evidence": { "request_sample": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\n\n", "payload_snippet": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3f6e61b0b8db97e25e9ab89dd9892388baf41d0", "protocol_details": { "payload_preview": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "weblogic_emulated" ], "asn_dc_heuristic": true }
07/06/2026 21:52:32 UTC	TCP	515 · LPD	lpd	lpd lpd · via LPD:515 · (sonde / probe)	Faible	Faible · 1
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur LPD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 515 Chemin / cible — Service LPD Payload networkscan Pourquoi cette classification : Type « lpd » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 1 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206c706420726561647920706f72743d3531350d0a", "emulator_response_len": 33, "bytes_in": 13, "payload_entropy": 3.5465935642949384, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "lpd", "app_proto": "lpd", "asn": 14618, "country": "US", "dst_port": 515, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 1, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4fe2a5980ed711910f8d59416d28e6ba0238e0fc", "event_fingerprint": "a19fd83a9856f1c122b80b6c10e618dae1ce3474", "classification_reason": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "lpd", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fa24e2ea0755ee07c26826db859cbad1", "path_pattern_hash": "ebe4a1b422624ccc71016f86c2a12169" }, "target_context": { "dst_port": 515, "service": "lpd", "service_name": "lpd", "risk_score": 1 }, "payload_preview": "\u0003networkscan\n", "request_sample": "\u0003networkscan\n", "payload_snippet": "\u0003networkscan", "evidence": { "request_sample": "\u0003networkscan\n", "payload_snippet": "\u0003networkscan", "classification_reason": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d47e72228bb6d8cf4ce410d7fdc91e5ac4190fea", "protocol_details": { "payload_preview": "\u0003networkscan", "port": 515, "service": "lpd", "service_label_fr": "LPD" }, "evidence_snippet": "networkscan", "attack_vector": "lpd \u00b7 via LPD:515 \u00b7 (sonde \/ probe)", "target_port_label": "515 \u00b7 LPD", "emulator_service": "lpd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab lpd \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 1, "risk_label": "Faible", "service_name": "lpd", "service_label_fr": "LPD", "dst_port": 515, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-lpd", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0003networkscan", "port": 515, "service": "lpd", "service_label_fr": "LPD" }, "attack_vector": "lpd \u00b7 via LPD:515 \u00b7 (sonde \/ probe)", "evidence_snippet": "networkscan", "target_port_label": "515 \u00b7 LPD", "emulator_service": "lpd", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "lpd", "service_banner": "honeypot-lpd", "service_os": "linux", "dst_port": "515" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 6, "multi_protocol_sample": [ "epmd", "gopher", "irc", "ircs", "lpd", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
07/06/2026 21:50:27 UTC	TCP	70 · GOPHER	gopher	Scan de ports port scan syn · via GOPHER:70 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur GOPHER WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 70 Chemin / cible — Service GOPHER Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "6957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a", "emulator_response_len": 39, "bytes_in": 2, "payload_entropy": 1, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "gopher", "app_proto": "gopher", "asn": 14618, "country": "US", "dst_port": 70, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "7de9773556d61cd035254f140e77d1a6710f3f0c", "event_fingerprint": "6fd84d2a15eac085f88e04a17911c43e5059e0f8", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "gopher", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7eb70257593da06f682a3ddda54a9d26", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 70, "service": "gopher", "service_name": "gopher", "risk_score": 42 }, "payload_preview": "\r\n", "request_sample": "\r\n", "evidence": { "request_sample": "\r\n", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "acbd97c326cbe019da9007dc0f104a612d73398a", "protocol_details": { "port": 70, "service": "gopher", "service_label_fr": "GOPHER" }, "attack_vector": "port scan syn \u00b7 via GOPHER:70 \u00b7 (reconnaissance)", "target_port_label": "70 \u00b7 GOPHER", "emulator_service": "gopher", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via GOPHER \u2014 multi-protocole (5 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "gopher", "service_label_fr": "GOPHER", "dst_port": 70, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-gopher", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 70, "service": "gopher", "service_label_fr": "GOPHER" }, "attack_vector": "port scan syn \u00b7 via GOPHER:70 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "70 \u00b7 GOPHER", "emulator_service": "gopher", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "gopher", "service_banner": "honeypot-gopher", "service_os": "linux", "dst_port": "70" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 5, "multi_protocol_sample": [ "epmd", "gopher", "irc", "ircs", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
07/06/2026 21:49:57 UTC	TCP	6697 · IRCS	ircs	Scan de ports port scan syn · via IRCS:6697 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur IRCS WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6697 Chemin / cible — Service IRCS Payload NICK networkscanfp USER networkscanfp 0 * :networkscan Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) IRC NICK User-Agent — Règles WAF — Payload (extrait) NICK networkscanfp USER networkscanfp 0 * :networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 57, "payload_entropy": 4.465988207178161, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "ircs", "app_proto": "ircs", "asn": 14618, "country": "US", "dst_port": 6697, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "ddc25c9077aa0e3cc29d57fcf65816e98f9ef8f4", "event_fingerprint": "340c1906880be7ec4566f799fa962d987f0be7ca", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0529" ], "matched_pattern_names": [ "IRC NICK" ], "pattern_ids": [ "pat-0529" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "ircs", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0404b7509e014c4edc31542d095f75d3", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6697, "service": "ircs", "service_name": "ircs", "risk_score": 42 }, "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "evidence": { "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0fe197c2c944f4d390f3ea3b7bab1cd759fe9cf3", "protocol_details": { "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "port": 6697, "service": "ircs", "service_label_fr": "IRCS" }, "evidence_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "attack_vector": "port scan syn \u00b7 via IRCS:6697 \u00b7 (reconnaissance)", "target_port_label": "6697 \u00b7 IRCS", "emulator_service": "ircs", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via IRCS \u2014 multi-protocole (4 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ircs", "service_label_fr": "IRCS", "dst_port": 6697, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ircs", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "port": 6697, "service": "ircs", "service_label_fr": "IRCS" }, "attack_vector": "port scan syn \u00b7 via IRCS:6697 \u00b7 (reconnaissance)", "evidence_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "target_port_label": "6697 \u00b7 IRCS", "emulator_service": "ircs", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ircs", "service_banner": "honeypot-ircs", "service_os": "linux", "dst_port": "6697" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 4, "multi_protocol_sample": [ "epmd", "irc", "ircs", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
07/06/2026 21:49:52 UTC	TCP	6667 · IRC	irc	irc probe irc probe · via IRC:6667 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur IRC WAF — Recommandation Surveiller Tags botnet_c2 irc_c2_probe irc_emulated irc_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6667 Chemin / cible — Service IRC Payload NICK networkscanfp USER networkscanfp 0 * :networkscan Pourquoi cette classification : Type « irc_probe » (signaux protocolaires) · confiance 66% Confiance classification 74% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 66 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0529 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) IRC NICK User-Agent — Règles WAF — Payload (extrait) NICK networkscanfp USER networkscanfp 0 * :networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 57, "payload_entropy": 4.465988207178161, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "irc", "app_proto": "irc", "asn": 14618, "country": "US", "dst_port": 6667, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10 }, "risk_score": 45, "tag_count": 5, "anomaly_count": 0, "campaign_key": "99f4ac5b91fbb8410df9d214855df0d0e02c8f03", "event_fingerprint": "9e2ac318555e178ff4e9bfc08626bc39d4f21eec", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "confidence": 0.74, "classification_confidence": 0.74, "precision_score": 73, "precision_signals": [ "pat-0529", "INT-upstream" ], "kb_rule_ids": [ "pat-0529", "INT-upstream" ], "matched_patterns": [ "pat-0529" ], "matched_pattern_names": [ "IRC NICK" ], "pattern_ids": [ "pat-0529" ], "confidence_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "irc", "risk_confidence_factor": 66, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0404b7509e014c4edc31542d095f75d3", "path_pattern_hash": "744abe26e51e9cc67ce7db92019436c3" }, "target_context": { "dst_port": 6667, "service": "irc", "service_name": "irc", "risk_score": 45 }, "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "evidence": { "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7be22b9b01b50821ff396908ed6b2548d45c3bdf", "protocol_details": { "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "port": 6667, "service": "irc", "service_label_fr": "IRC" }, "evidence_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "attack_vector": "irc probe \u00b7 via IRC:6667 \u00b7 (sonde \/ probe)", "target_port_label": "6667 \u00b7 IRC", "emulator_service": "irc", "confidence_reason": "Confiance 66 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "classification_reason_label_fr": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 74, "confidence_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "irc", "service_label_fr": "IRC", "dst_port": 6667, "protocol_emulated": true, "tags_summary": [ "pat-0529", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0529", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-irc", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "port": 6667, "service": "irc", "service_label_fr": "IRC" }, "attack_vector": "irc probe \u00b7 via IRC:6667 \u00b7 (sonde \/ probe)", "evidence_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "target_port_label": "6667 \u00b7 IRC", "emulator_service": "irc", "confidence_reason": "Confiance 66 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "irc", "service_banner": "honeypot-irc", "service_os": "linux", "dst_port": "6667" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "epmd", "irc", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "botnet_c2", "irc_c2_probe", "irc_emulated", "irc_payload", "net_irc_probe" ], "asn_dc_heuristic": true }
07/06/2026 21:48:59 UTC	TCP	4369 · EPMD	epmd	epmd epmd · via EPMD:4369 · (sonde / probe)	Faible	Faible · 14
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur EPMD WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4369 Chemin / cible — Service EPMD Payload n Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 14 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) n Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a", "emulator_response_len": 35, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "epmd", "app_proto": "epmd", "asn": 14618, "country": "US", "dst_port": 4369, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 14, "tag_count": 0, "anomaly_count": 0, "campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3", "event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 14, "correlation_boost": 8 }, "service_name": "epmd", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "76fae3c085bb43bf34b254b13bd8d00d", "path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c" }, "target_context": { "dst_port": 4369, "service": "epmd", "service_name": "epmd", "risk_score": 14 }, "payload_preview": "\u0000\u0001n", "request_sample": "\u0000\u0001n", "payload_snippet": "\u0000\u0001n", "evidence": { "request_sample": "\u0000\u0001n", "payload_snippet": "\u0000\u0001n", "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "559c3d5270361df399d08cf6f4c93bb6f6e23c67", "protocol_details": { "payload_preview": "\u0000\u0001n", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "evidence_snippet": "n", "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 14, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 14, "risk_label": "Faible", "service_name": "epmd", "service_label_fr": "EPMD", "dst_port": 4369, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-epmd", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0000\u0001n", "port": 4369, "service": "epmd", "service_label_fr": "EPMD" }, "attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)", "evidence_snippet": "n", "target_port_label": "4369 \u00b7 EPMD", "emulator_service": "epmd", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "epmd", "service_banner": "honeypot-epmd", "service_os": "linux", "dst_port": "4369" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "epmd", "weblogic" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
07/06/2026 21:47:51 UTC	TCP	7001 · WEBLOGIC	weblogic	weblogic probe weblogic probe · via WEBLOGIC:7001 · (sonde / probe)	Élevée	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_weblogic_probe weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Payload t3 12.2.1 AS:255 HL:19 MS:10000000 Pourquoi cette classification : Type « weblogic_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Faible · 33 Confiance : Confiance 77 % — 2 signal(aux) capteur Protocole émulé 1 Signaux Weblogic Console Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.2.1 AS:255 HL:19 MS:10000000 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "bytes_in": 36, "payload_entropy": 3.648511114409896, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "weblogic", "app_proto": "weblogic", "asn": 14618, "country": "US", "dst_port": 7001, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 33, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3209cb76d7a9ac3a6e65d8bcbb4694715e457ed2", "event_fingerprint": "4ea7ffe7bc9ade2843b5e81016a496bfea35cfd6", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence": 0.77, "classification_confidence": 0.77, "precision_score": 87, "precision_signals": [ "INT-weblogic_console", "INT-upstream" ], "kb_rule_ids": [ "INT-weblogic_console", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 33 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 77, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c774fdf36465e0ff86b6cbcdac011d2c", "path_pattern_hash": "a179ef516d6662010534ca5ee85ea8d3" }, "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 33 }, "payload_preview": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\n\n", "request_sample": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\n\n", "payload_snippet": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "evidence": { "request_sample": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\n\n", "payload_snippet": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3f6e61b0b8db97e25e9ab89dd9892388baf41d0", "protocol_details": { "payload_preview": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "evidence_snippet": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab weblogic_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 33 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "INT-weblogic_console", "INT-upstream" ], "tags_summary_labels_fr": [ "Weblogic Console", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "weblogic probe \u00b7 via WEBLOGIC:7001 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.2.1\nAS:255\nHL:19\nMS:10000000", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 77 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_weblogic_probe", "weblogic_emulated" ], "asn_dc_heuristic": true }
06/06/2026 12:41:32 UTC	TCP	3200	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 27
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3200 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 4, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "sap-diag", "app_proto": "sap-diag", "asn": 14618, "country": "US", "dst_port": 3200, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 27, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cdf6fcc09ebe59373a2401583f118c9305b5e232", "event_fingerprint": "f75ee004db81ec28a6dad82c1555257ed1d50e29", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "df3f619804a92fdb4057192dc43dd748", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3200, "service": "sap-diag" }, "payload_preview": "\u0000\u0000\u0000\u0000", "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "785189000375fb65aae0a84b35070d648fdab7a1", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "asn_dc_heuristic": true }
06/06/2026 12:35:29 UTC	TCP	3200	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 27
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3200 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 4, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "sap-diag", "app_proto": "sap-diag", "asn": 14618, "country": "US", "dst_port": 3200, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 27, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cdf6fcc09ebe59373a2401583f118c9305b5e232", "event_fingerprint": "f75ee004db81ec28a6dad82c1555257ed1d50e29", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "df3f619804a92fdb4057192dc43dd748", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3200, "service": "sap-diag" }, "payload_preview": "\u0000\u0000\u0000\u0000", "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "785189000375fb65aae0a84b35070d648fdab7a1", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "asn_dc_heuristic": true }
06/06/2026 00:07:18 UTC	TCP	3200	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 27
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3200 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 4, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "sap-diag", "app_proto": "sap-diag", "asn": 14618, "country": "US", "dst_port": 3200, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 27, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cdf6fcc09ebe59373a2401583f118c9305b5e232", "event_fingerprint": "f75ee004db81ec28a6dad82c1555257ed1d50e29", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "df3f619804a92fdb4057192dc43dd748", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3200, "service": "sap-diag" }, "payload_preview": "\u0000\u0000\u0000\u0000", "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "785189000375fb65aae0a84b35070d648fdab7a1", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "asn_dc_heuristic": true }
05/06/2026 23:52:46 UTC	TCP	3200	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 27
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3200 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 4, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "sap-diag", "app_proto": "sap-diag", "asn": 14618, "country": "US", "dst_port": 3200, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 38, "novelty": 0 }, "risk_score": 27, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cdf6fcc09ebe59373a2401583f118c9305b5e232", "event_fingerprint": "f75ee004db81ec28a6dad82c1555257ed1d50e29", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "df3f619804a92fdb4057192dc43dd748", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3200, "service": "sap-diag" }, "payload_preview": "\u0000\u0000\u0000\u0000", "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "785189000375fb65aae0a84b35070d648fdab7a1", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "asn_dc_heuristic": true }
05/06/2026 22:37:39 UTC	TCP	6667	irc	irc probe	Élevée	Faible · 23
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags botnet_c2 irc_c2_probe irc_emulated irc_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6667 Chemin / cible — Pourquoi cette classification : Type « irc_probe » (signaux protocolaires) · confiance 66% Confiance classification 66% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) IRC NICK User-Agent — Règles WAF — Payload (extrait) NICK networkscanfp USER networkscanfp 0 * :networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 57, "payload_entropy": 4.465988207178161, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "irc", "app_proto": "irc", "asn": 14618, "country": "US", "dst_port": 6667, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10 }, "risk_score": 23, "tag_count": 5, "anomaly_count": 0, "campaign_key": "99f4ac5b91fbb8410df9d214855df0d0e02c8f03", "event_fingerprint": "9e2ac318555e178ff4e9bfc08626bc39d4f21eec", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "confidence": 0.66, "classification_confidence": 0.66, "precision_score": 73, "precision_signals": [ "pat-0529", "INT-upstream" ], "kb_rule_ids": [ "pat-0529", "INT-upstream" ], "matched_patterns": [ "pat-0529" ], "matched_pattern_names": [ "IRC NICK" ], "pattern_ids": [ "pat-0529" ], "risk_confidence_factor": 66, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0404b7509e014c4edc31542d095f75d3", "path_pattern_hash": "744abe26e51e9cc67ce7db92019436c3" }, "target_context": { "dst_port": 6667, "service": "irc" }, "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "evidence": { "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7be22b9b01b50821ff396908ed6b2548d45c3bdf", "ban_policy": "advisory_monitor", "tags_list": [ "botnet_c2", "irc_c2_probe", "irc_emulated", "irc_payload", "net_irc_probe" ], "asn_dc_heuristic": true }
05/06/2026 22:30:59 UTC	TCP	6667	irc	irc probe	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http2_preface irc_emulated irc_payload net_irc_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6667 Chemin / cible — Pourquoi cette classification : Type « irc_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) PRI * HTTP/2.0 SM Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 33, "payload_entropy": 3.65045472541906, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "irc", "app_proto": "irc", "asn": 14618, "country": "US", "dst_port": 6667, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "6ea8e57d6f0d0fe2738565bea26ba4acbbf7f13c", "event_fingerprint": "9e2ac318555e178ff4e9bfc08626bc39d4f21eec", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "da74b3e9488c0813fcd76f6273b0c115", "path_pattern_hash": "744abe26e51e9cc67ce7db92019436c3" }, "target_context": { "dst_port": 6667, "service": "irc" }, "payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8add63b66fc32ab89ace076e3944251202c9adca", "ban_policy": "advisory_monitor", "tags_list": [ "http2_preface", "irc_emulated", "irc_payload", "net_irc_probe" ], "asn_dc_heuristic": true }
05/06/2026 22:30:59 UTC	TCP	6667	irc	irc probe	Élevée	Faible · 23
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags botnet_c2 irc_c2_probe irc_emulated irc_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6667 Chemin / cible — Pourquoi cette classification : Type « irc_probe » (signaux protocolaires) · confiance 66% Confiance classification 66% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) IRC NICK User-Agent — Règles WAF — Payload (extrait) NICK networkscanfp USER networkscanfp 0 * :networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 57, "payload_entropy": 4.465988207178161, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "irc", "app_proto": "irc", "asn": 14618, "country": "US", "dst_port": 6667, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10 }, "risk_score": 23, "tag_count": 5, "anomaly_count": 0, "campaign_key": "99f4ac5b91fbb8410df9d214855df0d0e02c8f03", "event_fingerprint": "9e2ac318555e178ff4e9bfc08626bc39d4f21eec", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "confidence": 0.66, "classification_confidence": 0.66, "precision_score": 73, "precision_signals": [ "pat-0529", "INT-upstream" ], "kb_rule_ids": [ "pat-0529", "INT-upstream" ], "matched_patterns": [ "pat-0529" ], "matched_pattern_names": [ "IRC NICK" ], "pattern_ids": [ "pat-0529" ], "risk_confidence_factor": 66, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0404b7509e014c4edc31542d095f75d3", "path_pattern_hash": "744abe26e51e9cc67ce7db92019436c3" }, "target_context": { "dst_port": 6667, "service": "irc" }, "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "evidence": { "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7be22b9b01b50821ff396908ed6b2548d45c3bdf", "ban_policy": "advisory_monitor", "tags_list": [ "botnet_c2", "irc_c2_probe", "irc_emulated", "irc_payload", "net_irc_probe" ], "asn_dc_heuristic": true }
05/06/2026 22:22:00 UTC	TCP	6667	irc	irc probe	Élevée	Faible · 23
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags botnet_c2 irc_c2_probe irc_emulated irc_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6667 Chemin / cible — Pourquoi cette classification : Type « irc_probe » (signaux protocolaires) · confiance 66% Confiance classification 66% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) IRC NICK User-Agent — Règles WAF — Payload (extrait) NICK networkscanfp USER networkscanfp 0 * :networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 57, "payload_entropy": 4.465988207178161, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "irc", "app_proto": "irc", "asn": 14618, "country": "US", "dst_port": 6667, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10 }, "risk_score": 23, "tag_count": 5, "anomaly_count": 0, "campaign_key": "99f4ac5b91fbb8410df9d214855df0d0e02c8f03", "event_fingerprint": "9e2ac318555e178ff4e9bfc08626bc39d4f21eec", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "confidence": 0.66, "classification_confidence": 0.66, "precision_score": 73, "precision_signals": [ "pat-0529", "INT-upstream" ], "kb_rule_ids": [ "pat-0529", "INT-upstream" ], "matched_patterns": [ "pat-0529" ], "matched_pattern_names": [ "IRC NICK" ], "pattern_ids": [ "pat-0529" ], "risk_confidence_factor": 66, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0404b7509e014c4edc31542d095f75d3", "path_pattern_hash": "744abe26e51e9cc67ce7db92019436c3" }, "target_context": { "dst_port": 6667, "service": "irc" }, "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "evidence": { "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7be22b9b01b50821ff396908ed6b2548d45c3bdf", "ban_policy": "advisory_monitor", "tags_list": [ "botnet_c2", "irc_c2_probe", "irc_emulated", "irc_payload", "net_irc_probe" ], "asn_dc_heuristic": true }
05/06/2026 22:22:00 UTC	TCP	6667	irc	irc probe	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http2_preface irc_emulated irc_payload net_irc_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6667 Chemin / cible — Pourquoi cette classification : Type « irc_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) PRI * HTTP/2.0 SM Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 33, "payload_entropy": 3.65045472541906, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "irc", "app_proto": "irc", "asn": 14618, "country": "US", "dst_port": 6667, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "6ea8e57d6f0d0fe2738565bea26ba4acbbf7f13c", "event_fingerprint": "9e2ac318555e178ff4e9bfc08626bc39d4f21eec", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "da74b3e9488c0813fcd76f6273b0c115", "path_pattern_hash": "744abe26e51e9cc67ce7db92019436c3" }, "target_context": { "dst_port": 6667, "service": "irc" }, "payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8add63b66fc32ab89ace076e3944251202c9adca", "ban_policy": "advisory_monitor", "tags_list": [ "http2_preface", "irc_emulated", "irc_payload", "net_irc_probe" ], "asn_dc_heuristic": true }
05/06/2026 22:02:15 UTC	TCP	6667	irc	irc probe	Élevée	Faible · 23
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags botnet_c2 irc_c2_probe irc_emulated irc_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6667 Chemin / cible — Pourquoi cette classification : Type « irc_probe » (signaux protocolaires) · confiance 66% Confiance classification 66% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) IRC NICK User-Agent — Règles WAF — Payload (extrait) NICK networkscanfp USER networkscanfp 0 * :networkscan Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 57, "payload_entropy": 4.465988207178161, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "irc", "app_proto": "irc", "asn": 14618, "country": "US", "dst_port": 6667, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10 }, "risk_score": 23, "tag_count": 5, "anomaly_count": 0, "campaign_key": "99f4ac5b91fbb8410df9d214855df0d0e02c8f03", "event_fingerprint": "9e2ac318555e178ff4e9bfc08626bc39d4f21eec", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%", "confidence": 0.66, "classification_confidence": 0.66, "precision_score": 73, "precision_signals": [ "pat-0529", "INT-upstream" ], "kb_rule_ids": [ "pat-0529", "INT-upstream" ], "matched_patterns": [ "pat-0529" ], "matched_pattern_names": [ "IRC NICK" ], "pattern_ids": [ "pat-0529" ], "risk_confidence_factor": 66, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0404b7509e014c4edc31542d095f75d3", "path_pattern_hash": "744abe26e51e9cc67ce7db92019436c3" }, "target_context": { "dst_port": 6667, "service": "irc" }, "payload_preview": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "evidence": { "request_sample": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan\r\n", "payload_snippet": "NICK networkscanfp\r\nUSER networkscanfp 0 * :networkscan", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7be22b9b01b50821ff396908ed6b2548d45c3bdf", "ban_policy": "advisory_monitor", "tags_list": [ "botnet_c2", "irc_c2_probe", "irc_emulated", "irc_payload", "net_irc_probe" ], "asn_dc_heuristic": true }
05/06/2026 22:02:15 UTC	TCP	6667	irc	irc probe	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http2_preface irc_emulated irc_payload net_irc_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6667 Chemin / cible — Pourquoi cette classification : Type « irc_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) PRI * HTTP/2.0 SM Meta JSON brut { "protocol_emulated": true, "emulator_response": "3a686f6e6579706f742e69726320303031206775657374203a57656c636f6d6520746f20686f6e6579706f74204952430d0a", "emulator_response_len": 50, "bytes_in": 33, "payload_entropy": 3.65045472541906, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "irc", "app_proto": "irc", "asn": 14618, "country": "US", "dst_port": 6667, "risk_waf": 8, "risk_classification": 46, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 46, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "6ea8e57d6f0d0fe2738565bea26ba4acbbf7f13c", "event_fingerprint": "9e2ac318555e178ff4e9bfc08626bc39d4f21eec", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 14618, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "da74b3e9488c0813fcd76f6273b0c115", "path_pattern_hash": "744abe26e51e9cc67ce7db92019436c3" }, "target_context": { "dst_port": 6667, "service": "irc" }, "payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab irc_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8add63b66fc32ab89ace076e3944251202c9adca", "ban_policy": "advisory_monitor", "tags_list": [ "http2_preface", "irc_emulated", "irc_payload", "net_irc_probe" ], "asn_dc_heuristic": true }

54.88.163.67

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence