Détails IP 59.127.68.36

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 01/06/2026 15:02 UTC

Dernière observation 15/06/2026 12:09 UTC

Événements (période) 44

MITRE ATT&CK principal TA0007 9 occurrences

Activité suspecte · risque 35/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_81_tcp » (signaux protocolaires) · confiance 49%

Confiance 49 % — Score WAF 8

Comparaison ASN / FAI

ASN 3462 · 59.127.0.0/16 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 44 événements sur la période pour cette IP.

114.35.100.79 Sonde port 23/TCP 17/06/2026 14:54 UTC
122.117.253.237 Sonde PostgreSQL 16/06/2026 22:32 UTC
125.229.237.152 mssql probe 16/06/2026 21:41 UTC
36.232.56.220 Sonde port 23/TCP 16/06/2026 19:57 UTC
125.229.104.192 Sonde port 23/TCP 16/06/2026 17:13 UTC
122.117.219.87 Sonde port 23/TCP 16/06/2026 08:12 UTC
220.135.28.199 Sonde port 23/TCP 16/06/2026 06:23 UTC
60.250.246.239 Sonde SSH 16/06/2026 05:08 UTC

Événements (filtres)

Première observation

01/06/2026 15:02 UTC

Dernière observation

15/06/2026 12:09 UTC

Dernière activité (filtres)

15/06/2026 12:09 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 20 TLS TCP 16 HTTP ALT 81 TCP 3

HTTP

TLS

HTTP ALT 81

Géolocalisation

Origine réseau déclarée

Taïwan unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Data Communication Business Group 28 Port 81 port_81_tcp

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

port 81 tcp · via HTTP ALT 81:81 · (sonde / probe)

Détails protocole

Aperçu payload

�

Port / service

81 · HTTP ALT 81

Service émulé

HTTP-ALT-81

Raison confiance

Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0348

Confiance

49% Confiance modérée — signal unique

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

44 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

44 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 12:09:27 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde port 81/TCP port 81 tcp · via HTTP ALT 81:81 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Preuve honeypot — Sonde port 81/TCP Connexion détectée sur le port 81 (TCP) du capteur simulé. Service HTTP ALT 81 Payload � Pourquoi cette classification : Type « port_81_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 19, "payload_entropy": 1.8784775129881184, "port_category": "well_known", "org": "Data Communication Business Group", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 3462, "country": "TW", "dst_port": 81, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 35, "tag_count": 0, "anomaly_count": 0, "campaign_key": "3f22551d39a092b08990354bd45c12679c434288", "event_fingerprint": "da8b22a909c287a6570bb2c7dce20fa4de2070cb", "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c7fc4bd4bc65329ae66eeb0073ae405e", "path_pattern_hash": "844041c5e4042c15d8ec9854632386ec" }, "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 35 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bae379cf60f0c198eee7c95775d7a1dcd0b04066", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd", "attack_vector": "port 81 tcp \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "port 81 tcp \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
15/06/2026 10:15:36 UTC	TCP	82	—	Sonde port 82/TCP port 82 tcp · port 82 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 82 Chemin / cible — Preuve honeypot — Sonde port 82/TCP Connexion détectée sur le port 82 (TCP) du capteur simulé. Payload � Pourquoi cette classification : Type « port_82_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "bytes_in": 19, "payload_entropy": 1.8784775129881184, "port_category": "well_known", "org": "Data Communication Business Group", "service": null, "app_proto": null, "asn": 3462, "country": "TW", "dst_port": 82, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 35, "tag_count": 0, "anomaly_count": 0, "campaign_key": "1db0c25c3e7fa7ce5373b024112f1cb734246e51", "event_fingerprint": "c4397f46a06da32deca07047a24c1b5a9b08c7f0", "classification_reason": "Type \u00ab port_82_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c7fc4bd4bc65329ae66eeb0073ae405e", "path_pattern_hash": "52e0bf4ab2b799978888079f70574e70" }, "target_context": { "dst_port": 82, "risk_score": 35 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_82_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4c35775cc8acea962a9e61726ebd3510698b805b", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 82 }, "evidence_snippet": "\ufffd", "attack_vector": "port 82 tcp \u00b7 port 82 \u00b7 (sonde \/ probe)", "target_port_label": "82", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_82_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_82_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": null, "service_label_fr": null, "dst_port": 82, "protocol_emulated": null, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 82 }, "attack_vector": "port 82 tcp \u00b7 port 82 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "82", "emulator_service": null, "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "82" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
15/06/2026 09:40:09 UTC	TCP	83	—	Sonde port 83/TCP port 83 tcp · port 83 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 83 Chemin / cible — Preuve honeypot — Sonde port 83/TCP Connexion détectée sur le port 83 (TCP) du capteur simulé. Payload � Pourquoi cette classification : Type « port_83_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "bytes_in": 19, "payload_entropy": 1.8784775129881184, "port_category": "well_known", "org": "Data Communication Business Group", "service": null, "app_proto": null, "asn": 3462, "country": "TW", "dst_port": 83, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 35, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4a260732dc0a8c1540f02d73f462708a767e1c8c", "event_fingerprint": "3ef2b49f44b2eb006b7bd03a961ab342deda739e", "classification_reason": "Type \u00ab port_83_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c7fc4bd4bc65329ae66eeb0073ae405e", "path_pattern_hash": "4a7b1a8d783e67d2ff3c8db2a91e8e5d" }, "target_context": { "dst_port": 83, "risk_score": 35 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_83_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9738cfa545e4c263ce8618c02fa738917a063ff7", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 83 }, "evidence_snippet": "\ufffd", "attack_vector": "port 83 tcp \u00b7 port 83 \u00b7 (sonde \/ probe)", "target_port_label": "83", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_83_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_83_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": null, "service_label_fr": null, "dst_port": 83, "protocol_emulated": null, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 83 }, "attack_vector": "port 83 tcp \u00b7 port 83 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "83", "emulator_service": null, "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "83" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
15/06/2026 09:26:56 UTC	TCP	84	—	Sonde port 84/TCP port 84 tcp · port 84 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 84 Chemin / cible — Preuve honeypot — Sonde port 84/TCP Connexion détectée sur le port 84 (TCP) du capteur simulé. Payload � Pourquoi cette classification : Type « port_84_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "bytes_in": 19, "payload_entropy": 1.8784775129881184, "port_category": "well_known", "org": "Data Communication Business Group", "service": null, "app_proto": null, "asn": 3462, "country": "TW", "dst_port": 84, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 35, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4f3d8d4e3a9c9318ea39313050033868d1f60ec3", "event_fingerprint": "546285452bbd5f8ce47d091da5a63c6de86c6f50", "classification_reason": "Type \u00ab port_84_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c7fc4bd4bc65329ae66eeb0073ae405e", "path_pattern_hash": "cfac7605fc5aa8c0117c3c6e17eca918" }, "target_context": { "dst_port": 84, "risk_score": 35 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_84_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8df68b1432976dc8cdca3345c6556e9c9321c869", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 84 }, "evidence_snippet": "\ufffd", "attack_vector": "port 84 tcp \u00b7 port 84 \u00b7 (sonde \/ probe)", "target_port_label": "84", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_84_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_84_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": null, "service_label_fr": null, "dst_port": 84, "protocol_emulated": null, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 84 }, "attack_vector": "port 84 tcp \u00b7 port 84 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "84", "emulator_service": null, "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "84" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
15/06/2026 07:32:52 UTC	TCP	86	—	Sonde port 86/TCP port 86 tcp · port 86 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 86 Chemin / cible — Preuve honeypot — Sonde port 86/TCP Connexion détectée sur le port 86 (TCP) du capteur simulé. Payload � Pourquoi cette classification : Type « port_86_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "bytes_in": 19, "payload_entropy": 1.8784775129881184, "port_category": "well_known", "org": "Data Communication Business Group", "service": null, "app_proto": null, "asn": 3462, "country": "TW", "dst_port": 86, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 35, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4af089b9507a1e70353dc0c085550f8cbb8850d3", "event_fingerprint": "c8710676a0b481b56d1f6f8d9084f121bafccb94", "classification_reason": "Type \u00ab port_86_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c7fc4bd4bc65329ae66eeb0073ae405e", "path_pattern_hash": "839ab593b10093c44b3ee061995f9bf0" }, "target_context": { "dst_port": 86, "risk_score": 35 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_86_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eb6bae1f37f1530793d02e948cf268e21a9cbb33", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 86 }, "evidence_snippet": "\ufffd", "attack_vector": "port 86 tcp \u00b7 port 86 \u00b7 (sonde \/ probe)", "target_port_label": "86", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_86_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab port_86_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": null, "service_label_fr": null, "dst_port": 86, "protocol_emulated": null, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 86 }, "attack_vector": "port 86 tcp \u00b7 port 86 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "86", "emulator_service": null, "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "86" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor" }
14/06/2026 12:31:32 UTC	TCP	81 · HTTP	http	phpmyadmin probe phpmyadmin probe · via HTTP:81 · (sonde / probe) · → /phpmyadmin/index.php	Élevée	Moyen · 53
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /phpmyadmin/index.php UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /phpmyadmin/index.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /phpmyadmin/index.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 53 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux Sonde phpMyAdmin pat-0747 Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) CRS 941130 Sigma phpMyAdmin Probe /phpMyAdmin/ Probe /phpmyadmin/ Ligne de requête `GET /phpmyadmin/index.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3464.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /phpmyadmin/index.php HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/ Requête brute (extrait) GET /phpmyadmin/index.php HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "2c635ad650d01cbd2c0fc2f45522f3404c434adb", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "d9d69039afb2ecff72da068cd4d55fa567bb6898", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 351, "payload_entropy": 5.5287391053057116, "port_category": "well_known", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "dst_port": 81, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 53, "tag_count": 8, "anomaly_count": 0, "campaign_key": "a886725ae9475813b11f768804373ed1f70031c9", "event_fingerprint": "80062ff12119bb8ef5f3382ec0709c0e95467fb4", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 140, "precision_signals": [ "INT-SEC-phpmyadmin", "pat-0747" ], "kb_rule_ids": [ "INT-SEC-phpmyadmin", "pat-0747" ], "matched_patterns": [ "pat-0284", "pat-0747", "pat-0269", "pat-0270" ], "matched_pattern_names": [ "CRS 941130", "Sigma phpMyAdmin", "Probe \/phpMyAdmin\/", "Probe \/phpmyadmin\/" ], "pattern_ids": [ "pat-0284", "pat-0747", "pat-0269", "pat-0270" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 53 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "adf894d47d9cb903c775334ed0de578a", "payload_hash": "2818482c928651ab83a04ab363403b43", "path_pattern_hash": "3c30a6d153f9af65c86ed8ad22dc540a" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "method": "GET", "path": "\/phpmyadmin\/index.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/phpmyadmin\/index.php HTTP\/1.1", "request_sample": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) A", "payload_snippet": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "evidence": { "method": "GET", "path": "\/phpmyadmin\/index.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/phpmyadmin\/index.php HTTP\/1.1", "request_sample": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) A", "payload_snippet": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "86f3c1944c11508a56707bd90566eabfa6e4cdc7", "protocol_details": { "http_method": "GET", "http_path": "\/phpmyadmin\/index.php", "request_line": "GET \/phpmyadmin\/index.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "attack_vector": "phpmyadmin probe \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/phpmyadmin\/index.php", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 53 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "INT-SEC-phpmyadmin", "pat-0747" ], "tags_summary_labels_fr": [ "Sonde phpMyAdmin", "pat-0747" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/phpmyadmin\/index.php", "request_line": "GET \/phpmyadmin\/index.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "phpmyadmin probe \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/phpmyadmin\/index.php", "evidence_snippet": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_phpmyadmin_probe", "http_probe_phpmyadmin", "http_sensitive_path", "net_web_probe" ] }
14/06/2026 12:31:32 UTC	TCP	81 · HTTP	http	Cross-site scripting xss attack · via HTTP:81 · (tentative d'exploit) · → /pmd/index.php	Élevée	Moyen · 50
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /pmd/index.php UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /pmd/index.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /pmd/index.php Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 50 Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Ligne de requête `GET /pmd/index.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3464.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /pmd/index.php HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,im Requête brute (extrait) GET /pmd/index.php HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWeb Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "2c635ad650d01cbd2c0fc2f45522f3404c434adb", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "8d1717e978103288d9531d8d7a2d4c48c6174cd4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 344, "payload_entropy": 5.525367529934442, "port_category": "well_known", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "dst_port": 81, "risk_waf": 84, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "adab595e4331d7bec6b986c47697fca4df234d1c", "event_fingerprint": "03f165a284065acd797d60b56c46199b5f717efd", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "adf894d47d9cb903c775334ed0de578a", "payload_hash": "72fce6c2a0f6123d8ecae7ea7c3ebc95", "path_pattern_hash": "d10368097e2d26bf37929d712babb32d" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "method": "GET", "path": "\/pmd\/index.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/pmd\/index.php HTTP\/1.1", "request_sample": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb", "payload_snippet": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "evidence": { "method": "GET", "path": "\/pmd\/index.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/pmd\/index.php HTTP\/1.1", "request_sample": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb", "payload_snippet": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "670318d09479f80e533528cb3eb9a49225a8e3c7", "protocol_details": { "http_method": "GET", "http_path": "\/pmd\/index.php", "request_line": "GET \/pmd\/index.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "attack_vector": "xss attack \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/pmd\/index.php", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 50 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/pmd\/index.php", "request_line": "GET \/pmd\/index.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/pmd\/index.php", "evidence_snippet": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
14/06/2026 12:27:00 UTC	TCP	82 · HTTP	http	Cross-site scripting xss attack · via HTTP:82 · (tentative d'exploit) · → /pmd/index.php	Élevée	Moyen · 49
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /pmd/index.php UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /pmd/index.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /pmd/index.php Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 49 Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 Ligne de requête `GET /pmd/index.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3464.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /pmd/index.php HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,im Requête brute (extrait) GET /pmd/index.php HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWeb Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "2c635ad650d01cbd2c0fc2f45522f3404c434adb", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "8d1717e978103288d9531d8d7a2d4c48c6174cd4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 344, "payload_entropy": 5.528987043009548, "port_category": "well_known", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "dst_port": 82, "risk_waf": 84, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6c0b9fe95853a2a15b214b1f6b937416914203bf", "event_fingerprint": "d5ef5bc29d5c346f3b4f9102f47df3fbd11e09b4", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "adf894d47d9cb903c775334ed0de578a", "payload_hash": "72fce6c2a0f6123d8ecae7ea7c3ebc95", "path_pattern_hash": "d10368097e2d26bf37929d712babb32d" }, "target_context": { "dst_port": 82, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "method": "GET", "path": "\/pmd\/index.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/pmd\/index.php HTTP\/1.1", "request_sample": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb", "payload_snippet": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "evidence": { "method": "GET", "path": "\/pmd\/index.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/pmd\/index.php HTTP\/1.1", "request_sample": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb", "payload_snippet": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "09e7b4b4b4329a46518980e91ea8aa7ca9d6b304", "protocol_details": { "http_method": "GET", "http_path": "\/pmd\/index.php", "request_line": "GET \/pmd\/index.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "port": 82, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "attack_vector": "xss attack \u00b7 via HTTP:82 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/pmd\/index.php", "target_port_label": "82 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 84, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 49 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 82, "protocol_emulated": null, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/pmd\/index.php", "request_line": "GET \/pmd\/index.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "port": 82, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:82 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/pmd\/index.php", "evidence_snippet": "GET \/pmd\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im", "target_port_label": "82 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "82" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "behavior_alert_count": 1, "behavior_priority": 96 }
14/06/2026 12:26:59 UTC	TCP	82 · HTTP	http	phpmyadmin probe phpmyadmin probe · via HTTP:82 · (sonde / probe) · → /phpmyadmin/index.php	Élevée	Moyen · 53
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /phpmyadmin/index.php UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /phpmyadmin/index.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 82 Chemin / cible /phpmyadmin/index.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 53 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux Sonde phpMyAdmin pat-0747 Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) CRS 941130 Sigma phpMyAdmin Probe /phpMyAdmin/ Probe /phpmyadmin/ Ligne de requête `GET /phpmyadmin/index.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3464.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /phpmyadmin/index.php HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/ Requête brute (extrait) GET /phpmyadmin/index.php HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) A Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "2c635ad650d01cbd2c0fc2f45522f3404c434adb", "http_host_hash": "b00c56701bd04898edc8a488547d32d613363649", "http_target_hash": "d9d69039afb2ecff72da068cd4d55fa567bb6898", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 351, "payload_entropy": 5.532286434359378, "port_category": "well_known", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "dst_port": 82, "risk_waf": 84, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 53, "tag_count": 7, "anomaly_count": 0, "campaign_key": "4c941fbb01761ff5367fc9f90be070eea96d5b4a", "event_fingerprint": "ec9378bb93c02782d8c2529a3e31f21164b2f9cc", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 140, "precision_signals": [ "INT-SEC-phpmyadmin", "pat-0747" ], "kb_rule_ids": [ "INT-SEC-phpmyadmin", "pat-0747" ], "matched_patterns": [ "pat-0284", "pat-0747", "pat-0269", "pat-0270" ], "matched_pattern_names": [ "CRS 941130", "Sigma phpMyAdmin", "Probe \/phpMyAdmin\/", "Probe \/phpmyadmin\/" ], "pattern_ids": [ "pat-0284", "pat-0747", "pat-0269", "pat-0270" ], "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 53 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "adf894d47d9cb903c775334ed0de578a", "payload_hash": "2818482c928651ab83a04ab363403b43", "path_pattern_hash": "3c30a6d153f9af65c86ed8ad22dc540a" }, "target_context": { "dst_port": 82, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "method": "GET", "path": "\/phpmyadmin\/index.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/phpmyadmin\/index.php HTTP\/1.1", "request_sample": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) A", "payload_snippet": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "evidence": { "method": "GET", "path": "\/phpmyadmin\/index.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/phpmyadmin\/index.php HTTP\/1.1", "request_sample": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,\/;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) A", "payload_snippet": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b2d66ed3621197b8bcdcded85f6ed36962cbfa3", "protocol_details": { "http_method": "GET", "http_path": "\/phpmyadmin\/index.php", "request_line": "GET \/phpmyadmin\/index.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "port": 82, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "attack_vector": "phpmyadmin probe \u00b7 via HTTP:82 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/phpmyadmin\/index.php", "target_port_label": "82 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 54, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 53 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 82, "protocol_emulated": null, "tags_summary": [ "INT-SEC-phpmyadmin", "pat-0747" ], "tags_summary_labels_fr": [ "Sonde phpMyAdmin", "pat-0747" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/phpmyadmin\/index.php", "request_line": "GET \/phpmyadmin\/index.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36", "port": 82, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "phpmyadmin probe \u00b7 via HTTP:82 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/phpmyadmin\/index.php", "evidence_snippet": "GET \/phpmyadmin\/index.php HTTP\/1.1\r\nConnection: Keep-Alive\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/", "target_port_label": "82 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "82" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_phpmyadmin_probe", "http_probe_phpmyadmin", "http_sensitive_path" ] }
13/06/2026 16:17:38 UTC	TCP	81 · HTTP ALT 81	http-alt-81	http-alt-81 http-alt-81 · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 fc54e0d16d976478 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ZVj-��-u��J�߱��;N�^K�z�Rl�� 5/ #� Pourquoi cette classification : Type « http-alt-81 » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ZVj-��-u��J�߱��;N�^K�z�Rl�� 5/ #� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 95, "payload_entropy": 4.693033402864555, "port_category": "well_known", "org": "Data Communication Business Group", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 3462, "country": "TW", "dst_port": 81, "risk_waf": 8, "risk_classification": 24, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 24, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "78af023cf79e2cc551b3bc717eee4762bcf624d5", "event_fingerprint": "da8b22a909c287a6570bb2c7dce20fa4de2070cb", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 24, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "service_name": "http-alt-81", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6c5baa0340f3375104f686d3d2c9e499", "path_pattern_hash": "96b5770472eb71fcb1b2ba3134979c11", "ja3": "fc54e0d16d9764783542f0146a98b300", "ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "tls_version": "0x0301", "tls_cipher_count": 7, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "fc54e0d16d9764783542f0146a98b300", "tls_ja3": "769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0", "tls_ja4_hash": "3ab2335e12df1a4a6be80ed5e53cce26", "tls_ja4": "t13d0107_b7265d80ddb0_28135b4947ef", "tls_version": "0x0301", "tls_cipher_count": 7, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\u0007N\u0011\ufffd\u001d^K\ufffdz\ufffdRl\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "request_sample": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\u0007N\u0011\ufffd\u001d^K\ufffdz\ufffdRl\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\u0007N\u0011\ufffd\u001d^K\ufffdz\ufffdRl\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\u0007N\u0011\ufffd\u001d^K\ufffdz\ufffdRl\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\u0007N\u0011\ufffd\u001d^K\ufffdz\ufffdRl\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58194eef604a306f756ff2b535e4164bf8fc7313", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\u0007N\u0011\ufffd\u001d^K\ufffdz\ufffdRl\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "fc54e0d16d9764783542f0146a98b300", "tls_ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "ZVj-\ufffd\ufffd\ufffd\ufffd\ufffd-u\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;N\ufffd^K\ufffdz\ufffdRl\ufffd\ufffd\n\ufffd\t\ufffd\ufffd5\/\n\n#\ufffd", "attack_vector": "http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 24, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\u0007N\u0011\ufffd\u001d^K\ufffdz\ufffdRl\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "fc54e0d16d9764783542f0146a98b300", "tls_ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "ZVj-\ufffd\ufffd\ufffd\ufffd\ufffd-u\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;N\ufffd^K\ufffdz\ufffdRl\ufffd\ufffd\n\ufffd\t\ufffd\ufffd5\/\n\n#\ufffd", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
13/06/2026 16:17:37 UTC	TCP	81 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:81 · (tentative d'exploit) · → /manager/html	Élevée	Élevé · 78
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /manager/html UA User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_admin_panel_scan Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /manager/html Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 78 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) ET Tomcat manager Probe /manager/html Ligne de requête `GET /manager/html HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF rce-0 nosqli-3 tomcat-manager Payload (extrait) GET /manager/html HTTP/1.1 User-Agent: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Accept: Requête brute (extrait) GET /manager/html HTTP/1.1 User-Agent: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Accept: / Accept-Language: zh-cn,en-us;q=0.5 Host: 62.3.50.33:81 Connection: Keep-Alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.398633346153425, "port_category": "well_known", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "dst_port": 81, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 6, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 78, "tag_count": 9, "anomaly_count": 0, "campaign_key": "0f5773248a66dfbd80b14ff58a53b6a44fb2fcf0", "event_fingerprint": "d4d06c09462605e92212dae3cbea23c1f3ddfd41", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0856", "pat-0265" ], "matched_pattern_names": [ "ET Tomcat manager", "Probe \/manager\/html" ], "pattern_ids": [ "pat-0856", "pat-0265" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 78 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2da35aefb7eec9447dea0b632e44eff7", "payload_hash": "3fe5a0ff1bb3ff978f924a2f9ec545cb", "path_pattern_hash": "2a5bd2a503123c9365f0cfa2aeeb56d1" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 78 }, "payload_preview": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "method": "GET", "path": "\/manager\/html", "user_agent": "User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager" ], "waf_rule_names": [ "rce-0", "nosqli-3", "tomcat-manager" ], "request_line": "GET \/manager\/html HTTP\/1.1", "request_sample": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept: \/\r\nAccept-Language: zh-cn,en-us;q=0.5\r\nHost: 62.3.50.33:81\r\nConnection: Keep-Alive\r\n\r\n", "payload_snippet": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "evidence": { "method": "GET", "path": "\/manager\/html", "user_agent": "User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager" ], "waf_rule_names": [ "rce-0", "nosqli-3", "tomcat-manager" ], "request_line": "GET \/manager\/html HTTP\/1.1", "request_sample": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept: \/\r\nAccept-Language: zh-cn,en-us;q=0.5\r\nHost: 62.3.50.33:81\r\nConnection: Keep-Alive\r\n\r\n", "payload_snippet": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ffad68b435828cc095d10d6b6dfc94a7d8bcb275", "protocol_details": { "http_method": "GET", "http_path": "\/manager\/html", "request_line": "GET \/manager\/html HTTP\/1.1", "http_user_agent": "User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "attack_vector": "config file probe \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/manager\/html", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 78\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 78 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 78, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/manager\/html", "request_line": "GET \/manager\/html HTTP\/1.1", "http_user_agent": "User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/manager\/html", "evidence_snippet": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_admin_panel_scan", "http_metasploit_ua", "http_probe_manager", "http_sensitive_path", "http_tomcat_manager_probe", "net_web_probe" ] }
13/06/2026 16:17:37 UTC	TCP	81 · HTTP ALT 81	http-alt-81	http-alt-81 http-alt-81 · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 fc54e0d16d976478 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ZVj-��qyC�� q'�H�#@k1�}�;~V~�� 5/ #� Pourquoi cette classification : Type « http-alt-81 » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ZVj-��qyC�� q'�H�#@k1�}�;~V~�� 5/ #� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 95, "payload_entropy": 4.611608797669717, "port_category": "well_known", "org": "Data Communication Business Group", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 3462, "country": "TW", "dst_port": 81, "risk_waf": 8, "risk_classification": 24, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 24, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "78af023cf79e2cc551b3bc717eee4762bcf624d5", "event_fingerprint": "da8b22a909c287a6570bb2c7dce20fa4de2070cb", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 24, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "service_name": "http-alt-81", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1723523162c4a6b7530203edbfe60b67", "path_pattern_hash": "96b5770472eb71fcb1b2ba3134979c11", "ja3": "fc54e0d16d9764783542f0146a98b300", "ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "tls_version": "0x0301", "tls_cipher_count": 7, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "fc54e0d16d9764783542f0146a98b300", "tls_ja3": "769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0", "tls_ja4_hash": "3ab2335e12df1a4a6be80ed5e53cce26", "tls_ja4": "t13d0107_b7265d80ddb0_28135b4947ef", "tls_version": "0x0301", "tls_cipher_count": 7, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffdqy\u0018C\ufffd\ufffd\u0017\nq'\ufffdH\ufffd#@k1\u0017\ufffd}\ufffd;~V\u000f\u0007~\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "request_sample": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffdqy\u0018C\ufffd\ufffd\u0017\nq'\ufffdH\ufffd#@k1\u0017\ufffd}\ufffd;~V\u000f\u0007~\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffdqy\u0018C\ufffd\ufffd\u0017\nq'\ufffdH\ufffd#@k1\u0017\ufffd}\ufffd;~V\u000f\u0007~\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffdqy\u0018C\ufffd\ufffd\u0017\nq'\ufffdH\ufffd#@k1\u0017\ufffd}\ufffd;~V\u000f\u0007~\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffdqy\u0018C\ufffd\ufffd\u0017\nq'\ufffdH\ufffd#@k1\u0017\ufffd}\ufffd;~V\u000f\u0007~\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5709b5f30b144b068870681df0bc4a2ef244405b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffdqy\u0018C\ufffd\ufffd\u0017\nq'\ufffdH\ufffd#@k1\u0017\ufffd}\ufffd;~V\u000f\u0007~\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "fc54e0d16d9764783542f0146a98b300", "tls_ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "ZVj-\ufffd\ufffdqyC\ufffd\ufffd\nq'\ufffdH\ufffd#@k1\ufffd}\ufffd;~V~\ufffd\ufffd\n\ufffd\t\ufffd\ufffd5\/\n\n#\ufffd", "attack_vector": "http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 24, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-\ufffd\ufffdqy\u0018C\ufffd\ufffd\u0017\nq'\ufffdH\ufffd#@k1\u0017\ufffd}\ufffd;~V\u000f\u0007~\ufffd\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "fc54e0d16d9764783542f0146a98b300", "tls_ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "ZVj-\ufffd\ufffdqyC\ufffd\ufffd\nq'\ufffdH\ufffd#@k1\ufffd}\ufffd;~V~\ufffd\ufffd\n\ufffd\t\ufffd\ufffd5\/\n\n#\ufffd", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
13/06/2026 15:33:15 UTC	TCP	85 · TLS	tls	Sonde TLS tls probe · via TLS:85 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 fc54e0d16d976478 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 85 Chemin / cible — Service TLS Payload ZVj-xB��z��פ��v&�t�vm�q�}N<X� � ��5/ #� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ZVj-xB��z��פ��v&�t�vm�q�}N<X� � ��5/ #� Meta JSON brut { "tls_ja3_hash": "fc54e0d16d9764783542f0146a98b300", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 3, "bytes_in": 95, "payload_entropy": 4.660794289175406, "port_category": "well_known", "org": "Data Communication Business Group", "service": "tls", "app_proto": "tls", "asn": 3462, "country": "TW", "dst_port": 85, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "31a047642b29cfbe29d3a33bc466b99d2bddbb3d", "event_fingerprint": "ff2a49f50cf316ab588daa86e8c6e68a902114f8", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "fc54e0d16d9764783542f0146a98b300", "payload_hash": "447919c0d7072fe2e15f4b086da370f6", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c", "ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "tls_version": "0x0301", "tls_cipher_count": 7, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0", "tls_ja4_hash": "3ab2335e12df1a4a6be80ed5e53cce26", "tls_ja4": "t13d0107_b7265d80ddb0_28135b4947ef", "tls_version": "0x0301", "tls_cipher_count": 7, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 85, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\u0000\ufffdv&\u0001\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\u001d<X\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "request_sample": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\u0000\ufffdv&\u0001\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\u001d<X\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\u0000\ufffdv&\u0001\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\u001d<X\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\u0000\ufffdv&\u0001\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\u001d<X\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\u0000\ufffdv&\u0001\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\u001d<X\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "12fc1ffe80351de5d0db9ee2222464afeb1849e0", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\u0000\ufffdv&\u0001\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\u001d<X\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "fc54e0d16d9764783542f0146a98b300", "tls_ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "port": 85, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "ZVj-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\ufffdv&\ufffdt\ufffdvm\ufffdq\ufffd}N<X\ufffd\n\ufffd\t\ufffd\ufffd5\/\n\n#\ufffd", "attack_vector": "tls probe \u00b7 via TLS:85 \u00b7 (sonde \/ probe)", "target_port_label": "85 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 85, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\u0000\ufffdv&\u0001\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\u001d<X\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "fc54e0d16d9764783542f0146a98b300", "tls_ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "port": 85, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:85 \u00b7 (sonde \/ probe)", "evidence_snippet": "ZVj-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\ufffdv&\ufffdt\ufffdvm\ufffdq\ufffd}N<X\ufffd\n\ufffd\t\ufffd\ufffd5\/\n\n#\ufffd", "target_port_label": "85 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "85" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
13/06/2026 15:33:15 UTC	TCP	85 · TLS	tls	Sonde TLS tls probe · via TLS:85 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 fc54e0d16d976478 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 85 Chemin / cible — Service TLS Payload ZVj-xBTs �v2�ql�jA� ��8K�v� � ��5/ #� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ZVj-xBTs �v2�ql�jA� ��8K�v� � ��5/ #� Meta JSON brut { "tls_ja3_hash": "fc54e0d16d9764783542f0146a98b300", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 3, "bytes_in": 95, "payload_entropy": 4.645767876594312, "port_category": "well_known", "org": "Data Communication Business Group", "service": "tls", "app_proto": "tls", "asn": 3462, "country": "TW", "dst_port": 85, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "31a047642b29cfbe29d3a33bc466b99d2bddbb3d", "event_fingerprint": "ff2a49f50cf316ab588daa86e8c6e68a902114f8", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "fc54e0d16d9764783542f0146a98b300", "payload_hash": "7414fc280838c39477c0ceb44b1fd3a2", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c", "ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "tls_version": "0x0301", "tls_cipher_count": 7, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0", "tls_ja4_hash": "3ab2335e12df1a4a6be80ed5e53cce26", "tls_ja4": "t13d0107_b7265d80ddb0_28135b4947ef", "tls_version": "0x0301", "tls_cipher_count": 7, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 85, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xBTs \ufffdv2\ufffdql\u0010\ufffdjA\u0002\ufffd\u0017\u001f\n\ufffd\ufffd\ufffd8\u001dK\ufffdv\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "request_sample": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xBTs \ufffdv2\ufffdql\u0010\ufffdjA\u0002\ufffd\u0017\u001f\n\ufffd\ufffd\ufffd8\u001dK\ufffdv\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xBTs \ufffdv2\ufffdql\u0010\ufffdjA\u0002\ufffd\u0017\u001f\n\ufffd\ufffd\ufffd8\u001dK\ufffdv\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xBTs \ufffdv2\ufffdql\u0010\ufffdjA\u0002\ufffd\u0017\u001f\n\ufffd\ufffd\ufffd8\u001dK\ufffdv\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xBTs \ufffdv2\ufffdql\u0010\ufffdjA\u0002\ufffd\u0017\u001f\n\ufffd\ufffd\ufffd8\u001dK\ufffdv\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dd87711b3cf5d906c3efdab49047a25f8f810092", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xBTs \ufffdv2\ufffdql\u0010\ufffdjA\u0002\ufffd\u0017\u001f\n\ufffd\ufffd\ufffd8\u001dK\ufffdv\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "fc54e0d16d9764783542f0146a98b300", "tls_ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "port": 85, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "ZVj-xBTs \ufffdv2\ufffdql\ufffdjA\ufffd\n\ufffd\ufffd\ufffd8K\ufffdv\ufffd\n\ufffd\t\ufffd\ufffd5\/\n\n#\ufffd", "attack_vector": "tls probe \u00b7 via TLS:85 \u00b7 (sonde \/ probe)", "target_port_label": "85 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 85, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000Z\u0001\u0000\u0000V\u0003\u0001j-xBTs \ufffdv2\ufffdql\u0010\ufffdjA\u0002\ufffd\u0017\u001f\n\ufffd\ufffd\ufffd8\u001dK\ufffdv\u0000\u0000\u000e\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u00005\u0000\/\u0000\n\u0001\u0000\u0000\u001f\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\u0017\u0000\u0000\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "fc54e0d16d9764783542f0146a98b300", "tls_ja4": "3ab2335e12df1a4a6be80ed5e53cce26", "port": 85, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:85 \u00b7 (sonde \/ probe)", "evidence_snippet": "ZVj-xBTs \ufffdv2\ufffdql\ufffdjA\ufffd\n\ufffd\ufffd\ufffd8K\ufffdv\ufffd\n\ufffd\t\ufffd\ufffd5\/\n\n#\ufffd", "target_port_label": "85 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "85" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
13/06/2026 15:33:14 UTC	TCP	85 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:85 · (tentative d'exploit) · → /manager/html	Élevée	Élevé · 78
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /manager/html UA User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_admin_panel_scan Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 85 Chemin / cible /manager/html Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Élevé · 78 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) ET Tomcat manager Probe /manager/html Ligne de requête `GET /manager/html HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF rce-0 nosqli-3 tomcat-manager Payload (extrait) GET /manager/html HTTP/1.1 User-Agent: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Accept: Requête brute (extrait) GET /manager/html HTTP/1.1 User-Agent: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Accept: / Accept-Language: zh-cn,en-us;q=0.5 Host: 62.3.50.33:85 Connection: Keep-Alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "29631142709d39bee607e41cbb81ae54d3741f51", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.396953493726696, "port_category": "well_known", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "dst_port": 85, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 6.5, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 78, "tag_count": 8, "anomaly_count": 0, "campaign_key": "0e3b7c0857bc670d28d149d776fedc21ea8b6b0a", "event_fingerprint": "57bf439c0ca87c04b5b0ac2dfa7f3d0e74bb8755", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0856", "pat-0265" ], "matched_pattern_names": [ "ET Tomcat manager", "Probe \/manager\/html" ], "pattern_ids": [ "pat-0856", "pat-0265" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 78 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2da35aefb7eec9447dea0b632e44eff7", "payload_hash": "064be40181a4dff399b6e5393eda6616", "path_pattern_hash": "2a5bd2a503123c9365f0cfa2aeeb56d1" }, "target_context": { "dst_port": 85, "service": "http", "service_name": "http", "risk_score": 78 }, "payload_preview": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "method": "GET", "path": "\/manager\/html", "user_agent": "User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager" ], "waf_rule_names": [ "rce-0", "nosqli-3", "tomcat-manager" ], "request_line": "GET \/manager\/html HTTP\/1.1", "request_sample": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept: \/\r\nAccept-Language: zh-cn,en-us;q=0.5\r\nHost: 62.3.50.33:85\r\nConnection: Keep-Alive\r\n\r\n", "payload_snippet": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "evidence": { "method": "GET", "path": "\/manager\/html", "user_agent": "User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager" ], "waf_rule_names": [ "rce-0", "nosqli-3", "tomcat-manager" ], "request_line": "GET \/manager\/html HTTP\/1.1", "request_sample": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept: \/\r\nAccept-Language: zh-cn,en-us;q=0.5\r\nHost: 62.3.50.33:85\r\nConnection: Keep-Alive\r\n\r\n", "payload_snippet": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0a0e84a9462862b809de75ccf53e080580a97ff4", "protocol_details": { "http_method": "GET", "http_path": "\/manager\/html", "request_line": "GET \/manager\/html HTTP\/1.1", "http_user_agent": "User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705", "port": 85, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "attack_vector": "config file probe \u00b7 via HTTP:85 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/manager\/html", "target_port_label": "85 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 78\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 78 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 78, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 85, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/manager\/html", "request_line": "GET \/manager\/html HTTP\/1.1", "http_user_agent": "User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705", "port": 85, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:85 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/manager\/html", "evidence_snippet": "GET \/manager\/html HTTP\/1.1\r\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\r\nAccept:", "target_port_label": "85 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "85" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_admin_panel_scan", "http_metasploit_ua", "http_probe_manager", "http_sensitive_path", "http_tomcat_manager_probe" ] }
03/06/2026 19:44:48 UTC	TCP	8082	—	Sonde RDP	Élevée	Faible · 14
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags rdp_cookie Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8082 Chemin / cible — Confiance classification 68% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "bytes_in": 19, "payload_entropy": 1.8784775129881184, "port_category": "registered", "org": "Data Communication Business Group", "service": null, "app_proto": null, "asn": 3462, "country": "TW", "dst_port": 8082, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 14, "tag_count": 1, "anomaly_count": 0, "campaign_key": "7682ba8e5503ad73f03e313743a0029945d655f9", "event_fingerprint": "47876f2c8b55e542f508bb55e39e33fb19ae7388", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TW", "asn": 3462, "org": "Data Communication Business Group", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c7fc4bd4bc65329ae66eeb0073ae405e", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 8082 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.68, "classification_confidence": 0.68, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "event_signature": "c1792da962a566069a5ab11fb478dece161ee714", "ban_policy": "advisory_monitor", "tags_list": [ "rdp_cookie" ] }
01/06/2026 20:36:25 UTC	TCP	8083	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 20:36:24 UTC	TCP	8083	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8083 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "21e69ce58b85e5f3297487d2897913a40772a115", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.403739485391876, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "22188adc439f7bcee1ae9fe737e095a53c2fa7b0", "event_fingerprint": "fb0320d1ee5f335a407df009ef3c28bb80dd43ce", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 20:36:24 UTC	TCP	8083	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 20:36:23 UTC	TCP	8083	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8083 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "21e69ce58b85e5f3297487d2897913a40772a115", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.403739485391876, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "22188adc439f7bcee1ae9fe737e095a53c2fa7b0", "event_fingerprint": "fb0320d1ee5f335a407df009ef3c28bb80dd43ce", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 19:32:16 UTC	TCP	8085	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 19:32:16 UTC	TCP	8085	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 19:32:15 UTC	TCP	8085	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8085 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "8307e910dac7083f4f0d52abcc8375f89d55b254", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.403739485391876, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "08f49b16f1ad0134fb09e38cd2ec151a41a0cb40", "event_fingerprint": "4b02f8ac7f91de0f1ec9c804a60fd14817d65202", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 19:32:15 UTC	TCP	8085	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8085 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "8307e910dac7083f4f0d52abcc8375f89d55b254", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.403739485391876, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "08f49b16f1ad0134fb09e38cd2ec151a41a0cb40", "event_fingerprint": "4b02f8ac7f91de0f1ec9c804a60fd14817d65202", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 19:22:46 UTC	TCP	8086	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 19:22:45 UTC	TCP	8086	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "dca14bd323afb7abea7bafa539fc0b23ad09cfc0", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.40764246700043, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "6e0eeb7dc25b28e3aaf05c3b409783149c0d258c", "event_fingerprint": "6aac612409cd55f08a6c80629376d8d7aad72744", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 19:22:45 UTC	TCP	8086	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 19:22:44 UTC	TCP	8086	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "dca14bd323afb7abea7bafa539fc0b23ad09cfc0", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.40764246700043, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "6e0eeb7dc25b28e3aaf05c3b409783149c0d258c", "event_fingerprint": "6aac612409cd55f08a6c80629376d8d7aad72744", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 18:35:04 UTC	TCP	8084	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8084 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "52139ff216422f6e734a2f69155b92f0ec67e9f8", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.411089441896153, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "8ce74d30fb876a7251df5e1b184176ffd421f263", "event_fingerprint": "ea4c7cabfbf656a5250e9be667cf4875fa369f8e", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 18:35:04 UTC	TCP	8084	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 18:35:04 UTC	TCP	8084	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 18:35:03 UTC	TCP	8084	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8084 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "52139ff216422f6e734a2f69155b92f0ec67e9f8", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.411089441896153, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "8ce74d30fb876a7251df5e1b184176ffd421f263", "event_fingerprint": "ea4c7cabfbf656a5250e9be667cf4875fa369f8e", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 17:42:10 UTC	TCP	8081	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 17:42:10 UTC	TCP	8081	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 17:42:09 UTC	TCP	8081	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.405403996700553, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "fd73d33108e78c2418662f3de3fd21fbd796ae98", "event_fingerprint": "f93e147154a168c7b2390fc0128b8687ac45493e", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 17:42:09 UTC	TCP	8081	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.405403996700553, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "fd73d33108e78c2418662f3de3fd21fbd796ae98", "event_fingerprint": "f93e147154a168c7b2390fc0128b8687ac45493e", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 16:29:24 UTC	TCP	8080	tls	Sonde TLS	Élevée	Moyen · 57
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 16:29:23 UTC	TCP	8080	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.400365626619456, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "777879c8e8fdb85566f8be70f1c83b9cc1faacca", "event_fingerprint": "c43fe5976edbb9a5155cc5cb78aedb31eb61dc82", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 16:29:23 UTC	TCP	8080	tls	Sonde TLS	Élevée	Moyen · 57
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 16:29:22 UTC	TCP	8080	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.400365626619456, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "777879c8e8fdb85566f8be70f1c83b9cc1faacca", "event_fingerprint": "c43fe5976edbb9a5155cc5cb78aedb31eb61dc82", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 15:02:59 UTC	TCP	8082	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 15:02:57 UTC	TCP	8082	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8082 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "7a8d0e6c280b76f893f1d973fb51ae53b8bb4673", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.40764246700043, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "c3d1f872ce95a29ef903d64a214ab29964716695", "event_fingerprint": "7c4aeee5712e19d6b5875fa1ea718ef866888c0a", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }
01/06/2026 15:02:57 UTC	TCP	8082	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 15:02:56 UTC	TCP	8082	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950613:tomcat-manager http_probe_manager Cible HTTP GET /manager/html TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8082 Chemin / cible /manager/html Ligne de requête `GET / HTTP/1.1` User-Agent User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Règles WAF 950326:rce-0 950468:nosqli-3 950613:tomcat-manager Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "71582f7cec1d198915fac5fc7c73ef396f2954d6", "http_host_hash": "7a8d0e6c280b76f893f1d973fb51ae53b8bb4673", "http_target_hash": "471948290e7410d0a5241ee075d920bc17a92486", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.40764246700043, "port_category": "registered", "org": "Data Communication Business Group", "service": "http", "app_proto": "http", "asn": 3462, "country": "TW", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "c3d1f872ce95a29ef903d64a214ab29964716695", "event_fingerprint": "7c4aeee5712e19d6b5875fa1ea718ef866888c0a", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950613:tomcat-manager", "http_probe_manager", "http_sensitive_path" ] }

59.127.68.36

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence