{"ip":"62.221.127.224","exported_at":"2026-06-17T06:09:06+00:00","period_days":1,"metrics":{"events7d":109,"distinct_ports":1,"distinct_classifications":1,"max_severity":5,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":32,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["database_scan"],"recommended_action":"monitor","confidence":0.49,"risk_breakdown":{"waf":8,"classification":56,"behavior":0,"geo":0,"protocol":38,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":109,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 32\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":56,"behavior":0,"geo":0,"protocol":38,"novelty":0,"risk_score":32},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":49,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0356"],"tags_summary":["pat-0356"],"attack_vector":"mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0000\u0000\u0000TZ\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u00010I\u0000\u0000\u0000\u0000\ufffdd\ufffd\ufffd\u0000\u0000\ufffd\u000f\ufffd\ufffd\u0007\u0000tsXrcsXYs9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000crrbts9srY\u0000\u0000\u0000\u0000\u0000\u0000","port":8000,"service":"sap-icm","service_label_fr":"SAP ICM"},"protocol_summary_fr":"Payload TZ\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0004\u00010I\u0000\u0000\u0000\u0000\ufffdd\ufffd\ufffd\u0000\u0000\ufffd\u000f\ufffd\ufffd\u0007\u0000tsXrcsXYs9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u2026 \u00b7 SAP ICM:8000","evidence_snippet":"TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9crrbts9srY","target_port_label":"8000 \u00b7 SAP ICM","emulator_service":"sap-icm","confidence_reason":"Confiance 49 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%","classification_reason_label_fr":"Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%","confidence_factors_fr":"Confiance 49 % \u2014 Score WAF 8","payload_preview":"TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9crrbts9srY"},"events":[{"id":9446906,"ip":"62.221.127.224","ts":"2026-06-17 03:10:44.000000","proto":"tcp","src_port":38074,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.824605035766233, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002238bc45cd9e8166235db60c5aa7d0a8d4\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crrbts9srY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crrbts9srY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crrbts9srY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crrbts9srY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crrbts9srY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224e554d0fc89570842a1a7c7bff4188ca8c588157\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crrbts9srY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9crrbts9srY\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crrbts9srY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9crrbts9srY\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9446687,"ip":"62.221.127.224","ts":"2026-06-17 03:06:56.000000","proto":"tcp","src_port":38168,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.788658011853687, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002228438553909213a4a2d6cca0e1592de1\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9rtsrcX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9rtsrcX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9rtsrcX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9rtsrcX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9rtsrcX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226e209e86259a55839e507c08ed6a38edd8c62282\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9rtsrcX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ts9rtsrcX9\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9rtsrcX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ts9rtsrcX9\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9446449,"ip":"62.221.127.224","ts":"2026-06-17 03:03:09.000000","proto":"tcp","src_port":39484,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8199578985571474, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022406dbc184c71a2badfdf31062cb179ab\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsbcXr9rXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsbcXr9rXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsbcXr9rXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsbcXr9rXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsbcXr9rXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002204fa1917008c203a00af2eacee87dd543040edb2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsbcXr9rXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tsbcXr9rXr\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsbcXr9rXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tsbcXr9rXr\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9446231,"ip":"62.221.127.224","ts":"2026-06-17 02:59:22.000000","proto":"tcp","src_port":37882,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7495275775941277, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229a69b0b5b9254e3460610656dcae52b3\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sstsXrrccs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sstsXrrccs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sstsXrrccs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sstsXrrccs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sstsXrrccs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d6706a3b2d462b7d845515b485bf65617ece4521\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sstsXrrccs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sstsXrrccs\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sstsXrrccs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sstsXrrccs\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9446037,"ip":"62.221.127.224","ts":"2026-06-17 02:55:34.000000","proto":"tcp","src_port":55400,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.769188106813214, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002269ef18e046d01b91606adf935a4be824\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yscsttsc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yscsttsc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yscsttsc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yscsttsc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yscsttsc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c738c8d5571acf009ea3370b2ef3245e3a29d5c2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yscsttsc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9Yscsttsc\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yscsttsc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9Yscsttsc\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9445849,"ip":"62.221.127.224","ts":"2026-06-17 02:51:46.000000","proto":"tcp","src_port":43834,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.807820398454125, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a473d7fee83eee24a9d880f2aa28e91a\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bbctrsssbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bbctrsssbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bbctrsssbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bbctrsssbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bbctrsssbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220a53f567df783e9cf133ae1b59aab6c6cc90af4b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bbctrsssbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bbctrsssbt\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bbctrsssbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bbctrsssbt\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9445653,"ip":"62.221.127.224","ts":"2026-06-17 02:47:59.000000","proto":"tcp","src_port":47904,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.782323857381788, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002284fe411773b264479740ff8c4f27b4c9\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9tsXrbts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9tsXrbts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9tsXrbts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9tsXrbts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9tsXrbts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221631aee7888d660e870c9d8ecba2263cf4807209\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9tsXrbts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ss9tsXrbts\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9tsXrbts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ss9tsXrbts\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9445417,"ip":"62.221.127.224","ts":"2026-06-17 02:44:11.000000","proto":"tcp","src_port":47224,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.816807154432262, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b3a9c5dc79c00c4cd9a8f8f64c9e92e\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tss9bcr9sY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tss9bcr9sY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tss9bcr9sY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tss9bcr9sY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tss9bcr9sY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002233cafaa5b73704ffc9c2ee2075718803847068a1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tss9bcr9sY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tss9bcr9sY\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tss9bcr9sY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tss9bcr9sY\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9445237,"ip":"62.221.127.224","ts":"2026-06-17 02:40:23.000000","proto":"tcp","src_port":43850,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.824605035766233, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022849d048a8abf1c80d6657cf65c238467\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9sYccbrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9sYccbrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9sYccbrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9sYccbrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9sYccbrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c2965c061f1c415572368222c5b3061329f32479\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9sYccbrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ts9sYccbrc\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ts9sYccbrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ts9sYccbrc\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9445082,"ip":"62.221.127.224","ts":"2026-06-17 02:36:35.000000","proto":"tcp","src_port":51174,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7929976306227378, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002291c021f45afa7ce6856e481e79e658c1\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9sbXXXXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9sbXXXXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9sbXXXXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9sbXXXXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9sbXXXXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002249f3b41761948938847f7c4c636c9ce8d7c90801\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9sbXXXXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9sbXXXXbt\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9sbXXXXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9sbXXXXbt\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9444911,"ip":"62.221.127.224","ts":"2026-06-17 02:32:47.000000","proto":"tcp","src_port":33822,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.769188106813214, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229684af03d3c4ee23eb2f98d8bee2f58a\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrsrtYstt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrsrtYstt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrsrtYstt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrsrtYstt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrsrtYstt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002255b1d59be0919f9e8b94d9da63d812f9a325c905\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrsrtYstt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9csrsrtYstt\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrsrtYstt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9csrsrtYstt\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9444721,"ip":"62.221.127.224","ts":"2026-06-17 02:28:59.000000","proto":"tcp","src_port":33860,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7929976306227378, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022715fa84c9bf9c7e9b6c6b921debeb8cf\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000stbstrsXct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000stbstrsXct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000stbstrsXct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000stbstrsXct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000stbstrsXct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225ad6f9b7057ac1841196486e886bf3d2565662df\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000stbstrsXct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9stbstrsXct\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000stbstrsXct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9stbstrsXct\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9444516,"ip":"62.221.127.224","ts":"2026-06-17 02:25:11.000000","proto":"tcp","src_port":38934,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8257939104103977, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d260d0f75f5a30c2d66564c0fe3e091e\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrbrtrXt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrbrtrXt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrbrtrXt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrbrtrXt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrbrtrXt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002213cdb725f0656bc0b1d6566d545e65def7ababb7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrbrtrXt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9csrbrtrXt9\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csrbrtrXt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9csrbrtrXt9\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9444367,"ip":"62.221.127.224","ts":"2026-06-17 02:21:23.000000","proto":"tcp","src_port":52010,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.798833642475988, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225ad5069382dc3c07f7a9ffbb1290aa70\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bsYrtsrsXt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bsYrtsrsXt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bsYrtsrsXt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bsYrtsrsXt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bsYrtsrsXt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f9cc334fec502e40112bdc9cb7d3f136bef83a58\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bsYrtsrsXt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bsYrtsrsXt\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bsYrtsrsXt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bsYrtsrsXt\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9444140,"ip":"62.221.127.224","ts":"2026-06-17 02:17:30.000000","proto":"tcp","src_port":33636,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.782822000000436, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223d092e6ba8dbd3a70e52c3e318acbddc\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tttbsYt9st\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tttbsYt9st\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tttbsYt9st\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tttbsYt9st\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tttbsYt9st\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228970029ece81772e40467525598a905acf5131c1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tttbsYt9st\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tttbsYt9st\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tttbsYt9st\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tttbsYt9st\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9443877,"ip":"62.221.127.224","ts":"2026-06-17 02:13:42.000000","proto":"tcp","src_port":59164,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7704103056310347, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002219ea94c5df69de9e4c864fae6184b18d\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xtrbtsc9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xtrbtsc9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xtrbtsc9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xtrbtsc9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xtrbtsc9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002266e5bdbdc7251f724f9f347a9c69a46853d055e3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xtrbtsc9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9Xtrbtsc9s\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xtrbtsc9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9Xtrbtsc9s\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9443668,"ip":"62.221.127.224","ts":"2026-06-17 02:09:52.000000","proto":"tcp","src_port":57928,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.830441047619484, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a6529173ce69413485a43ae860562548\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsr9bcX9bs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsr9bcX9bs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsr9bcX9bs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsr9bcX9bs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsr9bcX9bs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c9c176a4bd1950c670f83bef0a203d49b559e938\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsr9bcX9bs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tsr9bcX9bs\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsr9bcX9bs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tsr9bcX9bs\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9443442,"ip":"62.221.127.224","ts":"2026-06-17 02:06:02.000000","proto":"tcp","src_port":47998,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.782822000000436, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222d1cb60cfc4caf42920cfeb03e87b117\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbYbXsXXXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbYbXsXXXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbYbXsXXXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbYbXsXXXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbYbXsXXXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d7d6df0adfc62017da7041679ee73ced203dc34c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbYbXsXXXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sbYbXsXXXr\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbYbXsXXXr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sbYbXsXXXr\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9443262,"ip":"62.221.127.224","ts":"2026-06-17 02:02:12.000000","proto":"tcp","src_port":45556,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.830441047619484, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b294a4237707590573138d3a1c341add\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yttcrbct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yttcrbct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yttcrbct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yttcrbct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yttcrbct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022237120843506c64ef3a5d280fac628b59e926e28\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yttcrbct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9Yttcrbct\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9Yttcrbct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9Yttcrbct\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9443018,"ip":"62.221.127.224","ts":"2026-06-17 01:58:23.000000","proto":"tcp","src_port":35526,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.821454291641347, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224351f0368337493d80c07df4af7c49aa\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btrXtscsbc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btrXtscsbc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btrXtscsbc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btrXtscsbc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btrXtscsbc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226c717f64ced8bd14262bbc0f4155eb0ccf80d023\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btrXtscsbc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9btrXtscsbc\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btrXtscsbc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9btrXtscsbc\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9442722,"ip":"62.221.127.224","ts":"2026-06-17 01:54:34.000000","proto":"tcp","src_port":50584,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.807820398454125, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f19e3767a2a8f56f8cd9005abb3c0b57\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9trcsbst\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9trcsbst\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9trcsbst\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9trcsbst\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9trcsbst\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ef1abd0bf9bbb2bcfd0512c283f53eab23349d1c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9trcsbst\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9cs9trcsbst\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9trcsbst\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9cs9trcsbst\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9442456,"ip":"62.221.127.224","ts":"2026-06-17 01:50:44.000000","proto":"tcp","src_port":48424,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.780585936253336, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022948ca70b276155b9a0f97347c8b10a6d\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xc9rtcb99\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xc9rtcb99\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xc9rtcb99\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xc9rtcb99\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xc9rtcb99\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f49a53940c724995bb0bea07ea0bff02b9ceac80\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xc9rtcb99\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9Xc9rtcb99\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xc9rtcb99\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9Xc9rtcb99\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9442209,"ip":"62.221.127.224","ts":"2026-06-17 01:46:55.000000","proto":"tcp","src_port":43484,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7929976306227378, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e1e023355d0f8a10890d93dba6718451\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000scb9ts9sX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000scb9ts9sX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000scb9ts9sX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000scb9ts9sX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000scb9ts9sX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eed4498059242db2d633af20be2300ff37e80859\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000scb9ts9sX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9scb9ts9sX9\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000scb9ts9sX9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9scb9ts9sX9\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9442040,"ip":"62.221.127.224","ts":"2026-06-17 01:43:05.000000","proto":"tcp","src_port":38848,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8199578985571474, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228e62c5d8b8d6c5cabaebf52d1475673f\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9s9Yttbr9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9s9Yttbr9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9s9Yttbr9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9s9Yttbr9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9s9Yttbr9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225984dec8e2d740466748d481b37025d2a41aa309\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9s9Yttbr9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9s9Yttbr9\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9s9Yttbr9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9s9Yttbr9\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9441804,"ip":"62.221.127.224","ts":"2026-06-17 01:39:16.000000","proto":"tcp","src_port":49386,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.782323857381788, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f09767005f1115b99206f6dcb52aae34\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bXssrYtYss\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bXssrYtYss\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bXssrYtYss\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bXssrYtYss\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bXssrYtYss\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022164852f026f8c7c0880c62de98c85f6ffb9720e8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bXssrYtYss\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bXssrYtYss\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bXssrYtYss\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bXssrYtYss\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9441477,"ip":"62.221.127.224","ts":"2026-06-17 01:35:27.000000","proto":"tcp","src_port":37398,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.775024118666465, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d73e7d1b18eb106a878bdf2e2c7394cf\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csYXstcY9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csYXstcY9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csYXstcY9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csYXstcY9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csYXstcY9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fa1a86b62b7de23e676f10107b9ebbad1065171c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csYXstcY9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9csYXstcY9s\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000csYXstcY9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9csYXstcY9s\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9441236,"ip":"62.221.127.224","ts":"2026-06-17 01:31:36.000000","proto":"tcp","src_port":36442,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8156182797880964, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022123c34ab5953012f8af49d82bf340001\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bs9cbX9st9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bs9cbX9st9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bs9cbX9st9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bs9cbX9st9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bs9cbX9st9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220c05b3e8bd69606dbafad70136b5d94995462fd7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bs9cbX9st9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bs9cbX9st9\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bs9cbX9st9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bs9cbX9st9\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9441042,"ip":"62.221.127.224","ts":"2026-06-17 01:27:48.000000","proto":"tcp","src_port":42214,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7929976306227378, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002208b78bf723b2aa1fd1992b3ca47adb74\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tXtYstbtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tXtYstbtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tXtYstbtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tXtYstbtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tXtYstbtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224bffe58b7cab3bf31e4bc8cfa51fc971fbcb5794\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tXtYstbtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tXtYstbtct\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tXtYstbtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tXtYstbtct\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9440817,"ip":"62.221.127.224","ts":"2026-06-17 01:23:49.000000","proto":"tcp","src_port":36386,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.807820398454125, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da09654dcd18cbf941338c391f7a4040\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bssbctsrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bssbctsrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bssbctsrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bssbctsrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bssbctsrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f9d60c846c3241a8758268de78f804b4b1a0f1a1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bssbctsrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bssbctsrbt\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bssbctsrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bssbctsrbt\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9440557,"ip":"62.221.127.224","ts":"2026-06-17 01:20:01.000000","proto":"tcp","src_port":49872,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7704103056310347, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b98f40d4d1a34ff6e28ba7620949e1bf\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000trsXbsYt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000trsXbsYt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000trsXbsYt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000trsXbsYt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000trsXbsYt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223fa68b00faee80e674ff11dbed6810a1652f59b0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000trsXbsYt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9trsXbsYt9\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000trsXbsYt9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9trsXbsYt9\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9440312,"ip":"62.221.127.224","ts":"2026-06-17 01:16:12.000000","proto":"tcp","src_port":46598,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8078203984541252, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002263859363afe4ad0e6a192d39d47882c2\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000s9csstbXrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000s9csstbXrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000s9csstbXrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000s9csstbXrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000s9csstbXrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002256d129f9f8eb43bdbe1245e2f78f05bcf7d9718c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000s9csstbXrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9s9csstbXrc\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000s9csstbXrc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9s9csstbXrc\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9440065,"ip":"62.221.127.224","ts":"2026-06-17 01:12:24.000000","proto":"tcp","src_port":52528,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.830441047619484, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228d4196fa905406aa0c38f858094c4422\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9bstrbYsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9bstrbYsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9bstrbYsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9bstrbYsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9bstrbYsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224ec46648a1667989d0340e8fc465e3d5c581233d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9bstrbYsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9bstrbYsY\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000t9bstrbYsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9t9bstrbYsY\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9439780,"ip":"62.221.127.224","ts":"2026-06-17 01:08:35.000000","proto":"tcp","src_port":46444,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.755587537799647, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227856a9c1d5c297269e6e20b5d53c62cc\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000YrrsYsbcr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000YrrsYsbcr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000YrrsYsbcr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000YrrsYsbcr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000YrrsYsbcr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022859ad0d87bab8753de840006279145cecf05c173\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000YrrsYsbcr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9YrrsYsbcr\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000YrrsYsbcr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9YrrsYsbcr\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9439532,"ip":"62.221.127.224","ts":"2026-06-17 01:04:47.000000","proto":"tcp","src_port":58628,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7976447678318235, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022722e439792f812901afcebda9de7232c\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cr9XYsttsr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cr9XYsttsr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cr9XYsttsr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cr9XYsttsr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cr9XYsttsr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224ced1421d1dca1915b2417ef0d0d44dbde801dc2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cr9XYsttsr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9cr9XYsttsr\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cr9XYsttsr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9cr9XYsttsr\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9439287,"ip":"62.221.127.224","ts":"2026-06-17 01:00:59.000000","proto":"tcp","src_port":34938,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.767501089550401, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002234bd5c3c93d089bdde153a73f35e22d4\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9scrsYct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9scrsYct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9scrsYct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9scrsYct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9scrsYct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222b66c83f5b56bbdbf1fc84fd28894fc28d89d246\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9scrsYct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ss9scrsYct\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ss9scrsYct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ss9scrsYct\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9439002,"ip":"62.221.127.224","ts":"2026-06-17 00:57:11.000000","proto":"tcp","src_port":36336,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.769188106813214, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002208bcccf47a4c320dd8a6756288fbe4e4\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttsttcrYtc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttsttcrYtc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttsttcrYtc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttsttcrYtc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttsttcrYtc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002238fa30f0d33a07d139781b8733208c1c44d0003a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttsttcrYtc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ttsttcrYtc\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttsttcrYtc\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ttsttcrYtc\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9438670,"ip":"62.221.127.224","ts":"2026-06-17 00:53:21.000000","proto":"tcp","src_port":41052,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8347806663885344, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221441e9de6371528cd2cfebf885da0f74\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000brttbrcr9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000brttbrcr9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000brttbrcr9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000brttbrcr9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000brttbrcr9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221f0f1edc3459a646b7f84bfb9d2f156a87d6feea\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000brttbrcr9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9brttbrcr9s\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000brttbrcr9s\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9brttbrcr9s\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9438379,"ip":"62.221.127.224","ts":"2026-06-17 00:49:32.000000","proto":"tcp","src_port":34600,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.821454291641347, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228e240893e4ea9dee97e6e92f3eae547a\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttXs9rYrsb\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttXs9rYrsb\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttXs9rYrsb\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttXs9rYrsb\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttXs9rYrsb\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229244babecef25dde51a194f8789d102cded5fda6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttXs9rYrsb\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ttXs9rYrsb\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttXs9rYrsb\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ttXs9rYrsb\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9438174,"ip":"62.221.127.224","ts":"2026-06-17 00:45:43.000000","proto":"tcp","src_port":47406,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8156182797880964, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022706f0526a6bfe80d9c5d9ddf5c3eb29a\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tc9btcsrts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tc9btcsrts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tc9btcsrts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tc9btcsrts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tc9btcsrts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d6c3ad09cd2ca70890769fad74e0c12d17a35c5d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tc9btcsrts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tc9btcsrts\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tc9btcsrts\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tc9btcsrts\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9437936,"ip":"62.221.127.224","ts":"2026-06-17 00:41:54.000000","proto":"tcp","src_port":36394,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8124675356632105, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022641658497dca0179570221ff80000f67\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbXrstcctr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbXrstcctr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbXrstcctr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbXrstcctr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbXrstcctr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ca104758783247a4c5f07a2957ea13b305429756\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbXrstcctr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sbXrstcctr\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sbXrstcctr\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sbXrstcctr\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9437660,"ip":"62.221.127.224","ts":"2026-06-17 00:38:04.000000","proto":"tcp","src_port":55430,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7239801326561524, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221e4124d5983492eb8ba2437513c5f4d7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sttcssYrY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sttcssYrY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sttcssYrY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sttcssYrY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sttcssYrY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229bbcb685a598d6b3932c19a6509a409e99bbd3ef\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sttcssYrY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sttcssYrY\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sttcssYrY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sttcssYrY\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9437416,"ip":"62.221.127.224","ts":"2026-06-17 00:34:15.000000","proto":"tcp","src_port":56672,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.782822000000436, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b1a05793d0e490c5dfd23d89ff439632\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9YYts9YX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9YYts9YX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9YYts9YX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9YYts9YX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9YYts9YX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220c9904d43d8fdf623dc500447fb3f0769ccdd254\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9YYts9YX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9cs9YYts9YX\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000cs9YYts9YX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9cs9YYts9YX\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9437163,"ip":"62.221.127.224","ts":"2026-06-17 00:30:25.000000","proto":"tcp","src_port":53126,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.830441047619484, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002224c060194710bb644d9dee039a5cea4f\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sXcYbsbrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sXcYbsbrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sXcYbsbrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sXcYbsbrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sXcYbsbrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d8666620f5a97d9481e1af79374544df77795dae\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sXcYbsbrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sXcYbsbrbt\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000sXcYbsbrbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9sXcYbsbrbt\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9436958,"ip":"62.221.127.224","ts":"2026-06-17 00:26:34.000000","proto":"tcp","src_port":34000,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7291914169089604, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d95f26ca464f8a9732e5a3cb70867ef6\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bX9rXtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bX9rXtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bX9rXtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bX9rXtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bX9rXtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022743978271d9c20b40cec30abef84751f81d8e956\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bX9rXtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bX9rXtct\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bX9rXtct\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bX9rXtct\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9436686,"ip":"62.221.127.224","ts":"2026-06-17 00:22:45.000000","proto":"tcp","src_port":52564,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8156182797880964, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 1547, \u0022country\u0022: \u0022MD\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022MD\u0022, \u0022asn\u0022: 1547, \u0022org\u0022: \u0022INTERDNESTRKOM, Sovmestnoe Zakrytoe Aktsionernoe Obshchestvo\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224b2547ac7c2296395bb63dfd698ed449\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crsrr9sXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crsrr9sXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crsrr9sXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crsrr9sXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crsrr9sXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224aaf8b27342c4c72591fa178f85123d815c95458\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crsrr9sXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9crsrr9sXbt\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000crsrr9sXbt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9crsrr9sXbt\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9436425,"ip":"62.221.127.224","ts":"2026-06-17 00:18:52.000000","proto":"tcp","src_port":55480,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7704103056310347, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: null, \u0022country\u0022: \u0022unknown\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022unknown\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bfb3ccd66ecc02b63cd4de1e7ce2ad9e\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bcrstYYXs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bcrstYYXs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bcrstYYXs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bcrstYYXs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bcrstYYXs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224b2d662f8da75086e31677e96e01b3617d524a25\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bcrstYYXs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bcrstYYXs\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000bcrstYYXs\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9bcrstYYXs\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9436200,"ip":"62.221.127.224","ts":"2026-06-17 00:15:03.000000","proto":"tcp","src_port":42022,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.821454291641347, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: null, \u0022country\u0022: \u0022unknown\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022unknown\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022360a584b0bfa029c8174eaa1dce7e340\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsccbsYrrt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsccbsYrrt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsccbsYrrt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsccbsYrrt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsccbsYrrt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002277740357c9b4787b61ffe79c2941f98268e20d39\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsccbsYrrt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tsccbsYrrt\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000tsccbsYrrt\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9tsccbsYrrt\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9436002,"ip":"62.221.127.224","ts":"2026-06-17 00:11:13.000000","proto":"tcp","src_port":56894,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.7602013508350773, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: null, \u0022country\u0022: \u0022unknown\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022unknown\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223fb90446e873fe80a65d0bef5cbd9021\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttYssst9Y9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttYssst9Y9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttYssst9Y9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttYssst9Y9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttYssst9Y9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222399344c95f5fd6a56adcf31cac4cae6b633f47d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttYssst9Y9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ttYssst9Y9\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ttYssst9Y9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9ttYssst9Y9\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9435802,"ip":"62.221.127.224","ts":"2026-06-17 00:07:24.000000","proto":"tcp","src_port":59956,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.722791258011987, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: null, \u0022country\u0022: \u0022unknown\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022unknown\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c3e7cf36cf2c02e36e53bc70e86a6ad4\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xrbsss9XX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xrbsss9XX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xrbsss9XX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xrbsss9XX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xrbsss9XX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002238627de1c3fc6c6e581010c56bf86be2511d9e2d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xrbsss9XX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9Xrbsss9XX\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000Xrbsss9XX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9Xrbsss9XX\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84},{"id":9435569,"ip":"62.221.127.224","ts":"2026-06-17 00:03:35.000000","proto":"tcp","src_port":39048,"dst_port":8000,"service":"sap-icm","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 2.8019843866008745, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: null, \u0022country\u0022: \u0022unknown\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022unknown\u0022, \u0022org\u0022: \u0022IDKNET-PA-ISP\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d95ea328bd99453ecc3e9cac21be11b3\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btsctsrtsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btsctsrtsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btsctsrtsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btsctsrtsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btsctsrtsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228df7832d107c47104755d1964c0e36cfd747dd43\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btsctsrtsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9btsctsrtsY\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000TZ\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0004\\u00010I\\u0000\\u0000\\u0000\\u0000\ufffdd\ufffd\ufffd\\u0000\\u0000\ufffd\\u000f\ufffd\ufffd\\u0007\\u0000tsXrcsXYs9\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000btsctsrtsY\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SAP ICM:8000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TZ0I\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdtsXrcsXYs9btsctsrtsY\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":84}],"total_events":109}