Détails IP 64.227.158.25

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « postgres_probe » (signaux protocolaires) · confiance 49%

Confiance 49 % — Score WAF 8

Comparaison ASN / FAI

ASN 14061 · 64.227.128.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 6 événements sur la période pour cette IP.

64.226.86.7 Sonde port 17/06/2026 19:41 UTC
143.198.150.150 Sonde port 17/06/2026 19:41 UTC
24.199.126.56 Sonde port 17/06/2026 19:40 UTC
146.190.153.30 Cross-site scripting 17/06/2026 19:40 UTC
147.182.247.10 Cross-site scripting 17/06/2026 19:40 UTC
64.227.25.120 Sonde port 23/TCP 17/06/2026 19:40 UTC
178.128.32.203 Cross-site scripting 17/06/2026 19:40 UTC
146.190.149.252 Sonde port 17/06/2026 19:39 UTC

IPs apparentées

Même FAI DigitalOcean, LLC — corrélation indicative.

64.226.86.7 Sonde port
143.198.150.150 Sonde port
24.199.126.56 Sonde port
146.190.153.30 Cross-site scripting
147.182.247.10 Cross-site scripting

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

RDP TCP 4 SSH TCP 2

RDP

4

SSH

2

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

6 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 17:34:37 UTC	TCP	3389 · RDP	rdp	Sonde PostgreSQL postgres probe · via RDP:3389 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 d6828e30ab66774a Émulateur RDP WAF — Recommandation Surveiller Tags net_rdp_probe rdp_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Payload ��I'�XE�80x_�pl�6Z�.�9C�ٸ��Z�� 9p�sܛ��t��O�1^�J�νx�2�&�+�/�,�0̨̩� �� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��I'�XE�80x_�pl�6Z�.�9C�ٸ��Z�� 9p�sܛ��t��O�1^�J�νx�2�&�+�/�,�0̨̩� �� /5� { Requête brute (extrait) ��I'�XE�80x_�pl�6Z�.�9C�ٸ��Z�� 9p�sܛ��t��O�1^�J�νx�2�&�+�/�,�0̨̩� �� /5� { �+3&$ �#�ؚ��N��D�?�5�/j�/��F�� Meta JSON brut { "protocol_emulated": true, "bytes_in": 243, "payload_entropy": 5.768330325692586, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "rdp", "app_proto": "rdp", "asn": 14061, "country": "IN", "dst_port": 3389, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5cb9b53baf1209ea6c81c49a02d920dd293de6a4", "event_fingerprint": "707be242ce71f14fac23ca7fdd82d854dc2752d8", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8327060f2ec40aad04433e8314b4f477", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "d6828e30ab66774a91a96ae93be4ae4c", "ja4": "e4d60caa902b8b84112358f96af813c3", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "d6828e30ab66774a91a96ae93be4ae4c", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0", "tls_ja4_hash": "e4d60caa902b8b84112358f96af813c3", "tls_ja4": "t13d0119_0f418b0e79cc_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I'\ufffdXE\ufffd80x_\ufffd\u0005pl\ufffd6Z\ufffd.\ufffd9C\ufffd\u0678\ufffd\ufffdZ\ufffd\u0017\ufffd\u0013 9p\ufffds\u0000\u071b\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffdO\ufffd\u00951\b^\ufffdJ\ufffd\u001f\u03bdx\ufffd2\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I'\ufffdXE\ufffd80x_\ufffd\u0005pl\ufffd6Z\ufffd.\ufffd9C\ufffd\u0678\ufffd\ufffdZ\ufffd\u0017\ufffd\u0013 9p\ufffds\u0000\u071b\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffdO\ufffd\u00951\b^\ufffdJ\ufffd\u001f\u03bdx\ufffd2\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0011#\ufffd\u061a\ufffd\ufffdN\ufffd\ufffdD\ufffd?\ufffd5\ufffd\/j\ufffd\/\ufffd\ufffdF\ufffd\ufffd\u0013\ufffd\ufffd\ufffd\ufffd\u0016", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I'\ufffdXE\ufffd80x_\ufffd\u0005pl\ufffd6Z\ufffd.\ufffd9C\ufffd\u0678\ufffd\ufffdZ\ufffd\u0017\ufffd\u0013 9p\ufffds\u0000\u071b\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffdO\ufffd\u00951\b^\ufffdJ\ufffd\u001f\u03bdx\ufffd2\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13f2ef85dd4905ec966afcebac2409b370840cc5", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I'\ufffdXE\ufffd80x_\ufffd\u0005pl\ufffd6Z\ufffd.\ufffd9C\ufffd\u0678\ufffd\ufffdZ\ufffd\u0017\ufffd\u0013 9p\ufffds\u0000\u071b\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffdO\ufffd\u00951\b^\ufffdJ\ufffd\u001f\u03bdx\ufffd2\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c", "tls_ja4": "e4d60caa902b8b84112358f96af813c3", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "evidence_snippet": "\ufffd\ufffdI'\ufffdXE\ufffd80x_\ufffdpl\ufffd6Z\ufffd.\ufffd9C\ufffd\u0678\ufffd\ufffdZ\ufffd\ufffd 9p\ufffds\u071b\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffdO\ufffd\u00951^\ufffdJ\ufffd\u03bdx\ufffd2\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I'\ufffdXE\ufffd80x_\ufffd\u0005pl\ufffd6Z\ufffd.\ufffd9C\ufffd\u0678\ufffd\ufffdZ\ufffd\u0017\ufffd\u0013 9p\ufffds\u0000\u071b\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffdO\ufffd\u00951\b^\ufffdJ\ufffd\u001f\u03bdx\ufffd2\u0005\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c", "tls_ja4": "e4d60caa902b8b84112358f96af813c3", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "postgres probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdI'\ufffdXE\ufffd80x_\ufffdpl\ufffd6Z\ufffd.\ufffd9C\ufffd\u0678\ufffd\ufffdZ\ufffd\ufffd 9p\ufffds\u071b\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffdO\ufffd\u00951^\ufffdJ\ufffd\u03bdx\ufffd2\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rdp_probe", "rdp_emulated", "tls_clienthello" ], "asn_dc_heuristic": true }
17/06/2026 17:34:36 UTC	TCP	3390 · RDP	rdp	Sonde RDP rdp probe · via RDP:3390 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RDP WAF — Recommandation Surveiller Tags net_rdp_probe rdp_cookie rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3390 Chemin / cible — Service RDP Payload � Pourquoi cette classification : Négociation protocole RDP · confiance 95% Confiance classification 95% Risque capteur Moyen · 48 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0348 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "protocol_emulated": true, "emulator_response": "030000130ed00000123400021f080000000000", "emulator_response_len": 19, "bytes_in": 19, "payload_entropy": 1.8784775129881184, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "rdp", "app_proto": "rdp", "asn": 14061, "country": "IN", "dst_port": 3390, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "4d43a9aee13350a4f2414bd1a80e51e6af2cbed6", "event_fingerprint": "700e745442e0a767acc5398300bd052d20e6e907", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 83, "precision_signals": [ "pat-0348", "INT-upstream" ], "kb_rule_ids": [ "pat-0348", "INT-upstream" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c7fc4bd4bc65329ae66eeb0073ae405e", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 3390, "service": "rdp", "service_name": "rdp", "risk_score": 48 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5c36cf0b9586ed50f6bcd37273c55c85c3302785", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 3390, "service": "rdp", "service_label_fr": "RDP" }, "evidence_snippet": "\ufffd", "attack_vector": "rdp probe \u00b7 via RDP:3390 \u00b7 (sonde \/ probe)", "target_port_label": "3390 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 95%", "classification_reason_label_fr": "N\u00e9gociation protocole RDP \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3390, "protocol_emulated": true, "tags_summary": [ "pat-0348", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0348", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rdp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 3390, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "rdp probe \u00b7 via RDP:3390 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "3390 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "honeypot-rdp", "service_os": "linux", "dst_port": "3390" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rdp_probe", "rdp_cookie", "rdp_emulated" ], "asn_dc_heuristic": true }
17/06/2026 17:34:33 UTC	TCP	3389 · RDP	rdp	Sonde PostgreSQL postgres probe · via RDP:3389 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 d6828e30ab66774a Émulateur RDP WAF — Recommandation Surveiller Tags net_rdp_probe rdp_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Payload ��E��yW�d� 9��ʅ!�@��3��ǃ�� g��[;��m�Y��ļvy��!y�־�!&�+�/�,�0̨̩� �� /5� { Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��E��yW�d� 9��ʅ!�@��3��ǃ�� g��[;��m�Y��ļvy��!y�־�!&�+�/�,�0̨̩� �� /5� { Requête brute (extrait) ��E��yW�d� 9��ʅ!�@��3��ǃ�� g��[;��m�Y��ļvy��!y�־�!&�+�/�,�0̨̩� �� /5� { �+3&$ qՑ��PK3E69��<y�2"KuҺ��B Meta JSON brut { "protocol_emulated": true, "bytes_in": 243, "payload_entropy": 5.787041571165341, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "rdp", "app_proto": "rdp", "asn": 14061, "country": "IN", "dst_port": 3389, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5cb9b53baf1209ea6c81c49a02d920dd293de6a4", "event_fingerprint": "707be242ce71f14fac23ca7fdd82d854dc2752d8", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6ffdbaeff8f849c93bf6343dec3c5dc7", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "d6828e30ab66774a91a96ae93be4ae4c", "ja4": "e4d60caa902b8b84112358f96af813c3", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "d6828e30ab66774a91a96ae93be4ae4c", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0", "tls_ja4_hash": "e4d60caa902b8b84112358f96af813c3", "tls_ja4": "t13d0119_0f418b0e79cc_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdyW\ufffdd\ufffd\n\u00079\ufffd\u0012\ufffd\u0285!\ufffd@\ufffd\ufffd3\ufffd\ufffd\ufffd\u01c3\ufffd\ufffd\ufffd\ufffd \ufffdg\ufffd\ufffd[;\ufffd\ufffdm\ufffdY\ufffd\ufffd\u013cvy\ufffd\ue67d\ufffd!y\ufffd\u05be\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdyW\ufffdd\ufffd\n\u00079\ufffd\u0012\ufffd\u0285!\ufffd@\ufffd\ufffd3\ufffd\ufffd\ufffd\u01c3\ufffd\ufffd\ufffd\ufffd \ufffdg\ufffd\ufffd[;\ufffd\ufffdm\ufffdY\ufffd\ufffd\u013cvy\ufffd\ue67d\ufffd!y\ufffd\u05be\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001e \u0019q\u0551\ufffd\ufffdPK\u00143E69\ufffd\u0013\ufffd\ufffd<y\ufffd2\"Ku\u04ba\ufffd\ufffdB", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdyW\ufffdd\ufffd\n\u00079\ufffd\u0012\ufffd\u0285!\ufffd@\ufffd\ufffd3\ufffd\ufffd\ufffd\u01c3\ufffd\ufffd\ufffd\ufffd \ufffdg\ufffd\ufffd[;\ufffd\ufffdm\ufffdY\ufffd\ufffd\u013cvy\ufffd\ue67d\ufffd!y\ufffd\u05be\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ebaced6302f6c3d114c2fd9c4cfbd5d7c5b2e3a6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdyW\ufffdd\ufffd\n\u00079\ufffd\u0012\ufffd\u0285!\ufffd@\ufffd\ufffd3\ufffd\ufffd\ufffd\u01c3\ufffd\ufffd\ufffd\ufffd \ufffdg\ufffd\ufffd[;\ufffd\ufffdm\ufffdY\ufffd\ufffd\u013cvy\ufffd\ue67d\ufffd!y\ufffd\u05be\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c", "tls_ja4": "e4d60caa902b8b84112358f96af813c3", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "evidence_snippet": "\ufffd\ufffdE\ufffd\ufffdyW\ufffdd\ufffd\n9\ufffd\ufffd\u0285!\ufffd@\ufffd\ufffd3\ufffd\ufffd\ufffd\u01c3\ufffd\ufffd\ufffd\ufffd \ufffdg\ufffd\ufffd[;\ufffd\ufffdm\ufffdY\ufffd\ufffd\u013cvy\ufffd\ue67d\ufffd!y\ufffd\u05be\ufffd!&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdyW\ufffdd\ufffd\n\u00079\ufffd\u0012\ufffd\u0285!\ufffd@\ufffd\ufffd3\ufffd\ufffd\ufffd\u01c3\ufffd\ufffd\ufffd\ufffd \ufffdg\ufffd\ufffd[;\ufffd\ufffdm\ufffdY\ufffd\ufffd\u013cvy\ufffd\ue67d\ufffd!y\ufffd\u05be\ufffd!\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c", "tls_ja4": "e4d60caa902b8b84112358f96af813c3", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "postgres probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdE\ufffd\ufffdyW\ufffdd\ufffd\n9\ufffd\ufffd\u0285!\ufffd@\ufffd\ufffd3\ufffd\ufffd\ufffd\u01c3\ufffd\ufffd\ufffd\ufffd \ufffdg\ufffd\ufffd[*;\ufffd\ufffdm\ufffdY\ufffd\ufffd\u013cvy\ufffd\ue67d\ufffd!y\ufffd\u05be\ufffd!&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rdp_probe", "rdp_emulated", "tls_clienthello" ], "asn_dc_heuristic": true }
17/06/2026 17:34:32 UTC	TCP	3389 · RDP	rdp	Sonde RDP rdp probe · via RDP:3389 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RDP WAF — Recommandation Surveiller Tags net_rdp_cookie rdp_cookie rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Payload � Pourquoi cette classification : Négociation protocole RDP · confiance 95% Confiance classification 95% Risque capteur Moyen · 48 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "protocol_emulated": true, "emulator_response": "030000130ed00000123400021f080000000000", "emulator_response_len": 19, "bytes_in": 19, "payload_entropy": 1.8784775129881184, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "rdp", "app_proto": "rdp", "asn": 14061, "country": "IN", "dst_port": 3389, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "40bf2c34d73676fee23426938806aaa527b96fcb", "event_fingerprint": "ad5bc6c1132c10ce0e88d551a1bd2cf31dc3757e", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c7fc4bd4bc65329ae66eeb0073ae405e", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 48 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a95cbaec500fb75e21749f6d5cdca0ab9a6b33c2", "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "evidence_snippet": "\ufffd", "attack_vector": "rdp probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "N\u00e9gociation protocole RDP \u00b7 confiance 95%", "classification_reason_label_fr": "N\u00e9gociation protocole RDP \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000", "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "rdp probe \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rdp_cookie", "rdp_cookie", "rdp_emulated" ], "asn_dc_heuristic": true }
17/06/2026 04:41:01 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go L:��4��Ym�Yb~��curve25519-sha256@libssh.or… Émulateur SSH WAF — Recommandation Investiguer Tags net_ssh_probe ssh_banner ssh_emulated ssh_kex_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go L:��4��Ym�Yb~��curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp5… Payload SSH-2.0-Go L:��4��Ym�Yb~��curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go L:��4��Ym�Yb~��curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff Requête brute (extrait) SSH-2.0-Go L:��4��Ym�Yb~��curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2- Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a", "emulator_response_len": 32, "bytes_in": 1372, "payload_entropy": 4.850399396002652, "port_category": "well_known", "org": "DigitalOcean, LLC", "service": "ssh", "app_proto": "ssh", "asn": 14061, "country": "IN", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9a91c35ff8553fc24795f9eaf93692ffdae1839c", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 137, "precision_signals": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0536" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "TFTP RRQ" ], "pattern_ids": [ "pat-0391", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5454d888246c04f06808f48ca320e8d2", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0005L\u0013\u0014:\ufffd\ufffd4\ufffd\ufffdYm\b\ufffdYb~\ufffd\ufffd\u0000\u0000\u0001\u0019curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0005L\u0013\u0014:\ufffd\ufffd4\ufffd\ufffdYm\b\ufffdYb~\ufffd\ufffd\u0000\u0000\u0001\u0019curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0005L\u0013\u0014:\ufffd\ufffd4\ufffd\ufffdYm\b\ufffdYb~\ufffd\ufffd\u0000\u0000\u0001\u0019curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0005L\u0013\u0014:\ufffd\ufffd4\ufffd\ufffdYm\b\ufffdYb~\ufffd\ufffd\u0000\u0000\u0001\u0019curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0005L\u0013\u0014:\ufffd\ufffd4\ufffd\ufffdYm\b\ufffdYb~\ufffd\ufffd\u0000\u0000\u0001\u0019curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "42b68ef4a42258794aedc7382bc6be58c7e1522b", "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0005L\u0013\u0014:\ufffd\ufffd4\ufffd\ufffdYm\b\ufffdYb~\ufffd\ufffd\u0000\u0000\u0001\u0019curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0005L\u0013\u0014:\ufffd\ufffd4\ufffd\ufffdYm\b\ufffdYb~\ufffd\ufffd\u0000\u0000\u0001\u0019curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go\r\nL:\ufffd\ufffd4\ufffd\ufffdYm\ufffdYb~\ufffd\ufffdcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go\r\n\u0000\u0000\u0005L\u0013\u0014:\ufffd\ufffd4\ufffd\ufffdYm\b\ufffdYb~\ufffd\ufffd\u0000\u0000\u0001\u0019curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0005L\u0013\u0014:\ufffd\ufffd4\ufffd\ufffdYm\b\ufffdYb~\ufffd\ufffd\u0000\u0000\u0001\u0019curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go\r\nL:\ufffd\ufffd4\ufffd\ufffdYm\ufffdYb~\ufffd\ufffdcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diff", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ], "asn_dc_heuristic": true }
17/06/2026 04:40:59 UTC	TCP	14782 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:14782 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-Go Émulateur SSH WAF — Recommandation Surveiller Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 14782 Chemin / cible — Service SSH Bannière SSH SSH-2.0-Go Payload SSH-2.0-Go Pourquoi cette classification : Bannière client SSH reçue · confiance 95% Confiance classification 95% Risque capteur Moyen · 48 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go Meta JSON brut { "bytes_in": 12, "payload_entropy": 3.2516291673878226, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "ssh", "app_proto": "ssh", "asn": 14061, "country": "IN", "dst_port": 14782, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 48, "tag_count": 1, "anomaly_count": 0, "campaign_key": "f9c70e9371f7475e483347641ffb5989c6c6bdac", "event_fingerprint": "eca195dd0943e8d16c4fba5a7a69cf8177cf1f74", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 83, "precision_signals": [ "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253" ], "pattern_ids": [ "pat-0391" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e9e55307b9c6c1bf5bae2abdb628281d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 14782, "service": "ssh", "service_name": "ssh", "risk_score": 48 }, "payload_preview": "SSH-2.0-Go\r\n", "request_sample": "SSH-2.0-Go\r\n", "payload_snippet": "SSH-2.0-Go", "evidence": { "request_sample": "SSH-2.0-Go\r\n", "payload_snippet": "SSH-2.0-Go", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b8cf3972118af0f5e3534ecbdb66b4d4b7f932a", "protocol_details": { "ssh_banner": "SSH-2.0-Go", "payload_preview": "SSH-2.0-Go", "port": 14782, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-Go", "attack_vector": "Sonde SSH \u00b7 via SSH:14782 \u00b7 (sonde \/ probe)", "target_port_label": "14782 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 14782, "protocol_emulated": null, "tags_summary": [ "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0391", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-Go", "payload_preview": "SSH-2.0-Go", "port": 14782, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:14782 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-Go", "target_port_label": "14782 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "14782" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "ssh_banner" ], "asn_dc_heuristic": true }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

64.227.158.25

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence