|
|
TCP |
800 · HTTP
|
http
|
SSRF interne
ssrf internal · via HTTP:800 · (tentative d'exploit)
|
Élevée
|
Moyen · 49
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
800
Chemin / cible
/
Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54%
Confiance classification
54%
Risque capteur
Moyen
· 49
Confiance : Confiance 54 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
CRS-920350
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.56
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.56 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "76bb785017d449c8f856e0afa158c8ce51b1e528",
"http_host_hash": "ea673682be6f06cb352d5fe88bbb186136dd70c7",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 219,
"payload_entropy": 5.360595594641082,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 800,
"risk_waf": 72,
"risk_classification": 80,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 49,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "edfd33c99b0be3845890411907c9580b5647db0d",
"event_fingerprint": "4849d3d3314301414c42df2fab454fcf7fe23306",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"confidence": 0.54,
"classification_confidence": 0.54,
"precision_score": 64,
"precision_signals": [
"CRS-920350"
],
"kb_rule_ids": [
"CRS-920350"
],
"matched_patterns": [
"pat-0324"
],
"matched_pattern_names": [
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 49
},
"named_classification_skipped": false,
"classification_parent": "ssrf_attack",
"service_name": "http",
"risk_confidence_factor": 54,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "351854e4d543b60d305783a2e7232f69",
"payload_hash": "4978101796ec906e04eccb92695dd911",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 800,
"service": "http",
"service_name": "http",
"risk_score": 49
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.56",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.56\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.56",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.56\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "edf253753f56f6e2f642dc91c23894d75446f86a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110\u2026",
"port": 800,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"attack_vector": "ssrf internal \u00b7 via HTTP:800 \u00b7 (tentative d'exploit)",
"target_port_label": "800 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 54 % \u2014 via HTTP",
"confidence_pct": 54,
"confidence_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 49
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 800,
"protocol_emulated": null,
"tags_summary": [
"CRS-920350"
],
"tags_summary_labels_fr": [
"CRS-920350"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110\u2026",
"port": 800,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "ssrf internal \u00b7 via HTTP:800 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"target_port_label": "800 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 54 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "800"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5902 · VNC 2
|
vnc-2
|
Sonde port 5902/TCP
port 5902 tcp · via VNC 2:5902 · (sonde / probe)
|
Élevée
|
Moyen · 41
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
VNC-2
WAF
—
Recommandation
Surveiller
Tags
net_vnc_probe
vnc_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5902
Chemin / cible
—
Preuve honeypot — Sonde port 5902/TCP
Connexion détectée sur le port 5902 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_5902_tcp » (signaux protocolaires) · confiance 69%
Confiance classification
69%
Risque capteur
Moyen
· 41
Confiance : Confiance 69 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
Tcp Vnc Auth
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "524642203030332e3030380a",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "vnc-2",
"app_proto": "vnc-2",
"asn": 6939,
"country": "US",
"dst_port": 5902,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 41,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "ed4fe55cf9b71383f61b8f50ff2387f345c04ff2",
"event_fingerprint": "e7dead7c09362c8a4cba81baa9e82f36d512e52d",
"classification_reason": "Type \u00ab port_5902_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 82,
"precision_signals": [
"INT-tcp-vnc-auth"
],
"kb_rule_ids": [
"INT-tcp-vnc-auth"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"named_classification_skipped": true,
"named_candidate": "vnc_bruteforce",
"service_name": "vnc-2",
"risk_confidence_factor": 69,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "2d19cc5560e3efa3989a62110ae7f4ae"
},
"target_context": {
"dst_port": 5902,
"service": "vnc-2",
"service_name": "vnc-2",
"risk_score": 41
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8ebcaae52f13f4e32142256f690abd6cc2f1925e",
"protocol_details": {
"port": 5902,
"service": "vnc-2",
"service_label_fr": "VNC 2"
},
"attack_vector": "port 5902 tcp \u00b7 via VNC 2:5902 \u00b7 (sonde \/ probe)",
"target_port_label": "5902 \u00b7 VNC 2",
"emulator_service": "vnc-2",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_5902_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"classification_reason_label_fr": "Type \u00ab port_5902_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 41,
"risk_label": "Moyen",
"service_name": "vnc-2",
"service_label_fr": "VNC 2",
"dst_port": 5902,
"protocol_emulated": true,
"tags_summary": [
"INT-tcp-vnc-auth"
],
"tags_summary_labels_fr": [
"Tcp Vnc Auth"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-vnc-2",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 5902,
"service": "vnc-2",
"service_label_fr": "VNC 2"
},
"attack_vector": "port 5902 tcp \u00b7 via VNC 2:5902 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "5902 \u00b7 VNC 2",
"emulator_service": "vnc-2",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "vnc_2",
"service_banner": "honeypot-vnc-2",
"service_os": "linux",
"dst_port": "5902"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_vnc_probe",
"vnc_emulated"
]
}
|
|
|
TCP |
9192 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:9192 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9192
Chemin / cible
—
Service
TLS
Payload
����{���w��)��&��ƒ���HŊ�Q��R�ƾ^���0}Gt������/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��)��&��ƒ���HŊ�Q��R�ƾ^���0}Gt������/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.883567201918398,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 9192,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3da948374285c6e22248f96dd3fb422bb0c9f5ba",
"event_fingerprint": "d01c72dd4fa07a9812e896f2b467923460de9936",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "41e7c98586e62f95f66144368797b9c6",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9192,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003)\ufffd\ufffd&\ufffd\ufffd\u0192\ufffd\ufffd\u001fH\u014a\u0003Q\ufffd\ufffdR\ufffd\u01be^\ufffd\ufffd\ufffd0}Gt\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003)\ufffd\ufffd&\ufffd\ufffd\u0192\ufffd\ufffd\u001fH\u014a\u0003Q\ufffd\ufffdR\ufffd\u01be^\ufffd\ufffd\ufffd0}Gt\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003)\ufffd\ufffd&\ufffd\ufffd\u0192\ufffd\ufffd\u001fH\u014a\u0003Q\ufffd\ufffdR\ufffd\u01be^\ufffd\ufffd\ufffd0}Gt\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "14d00d69ea57bfef052a655a91a3e680ff4c7417",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003)\ufffd\ufffd&\ufffd\ufffd\u0192\ufffd\ufffd\u001fH\u014a\u0003Q\ufffd\ufffdR\ufffd\u01be^\ufffd\ufffd\ufffd0}Gt\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 9192,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "{w)\ufffd\ufffd&\ufffd\ufffd\u0192\ufffd\ufffdH\u014aQ\ufffd\ufffdR\ufffd\u01be^\ufffd\ufffd\ufffd0}Gt\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:9192 \u00b7 (sonde \/ probe)",
"target_port_label": "9192 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9192,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003)\ufffd\ufffd&\ufffd\ufffd\u0192\ufffd\ufffd\u001fH\u014a\u0003Q\ufffd\ufffdR\ufffd\u01be^\ufffd\ufffd\ufffd0}Gt\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 9192,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:9192 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{w)\ufffd\ufffd&\ufffd\ufffd\u0192\ufffd\ufffdH\u014aQ\ufffd\ufffdR\ufffd\u01be^\ufffd\ufffd\ufffd0}Gt\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "9192 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9192"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
8443 · HTTPS
|
https
|
Sonde PostgreSQL
postgres probe · via HTTPS:8443 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
HTTPS
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_web_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8443
Chemin / cible
—
Service
HTTPS
Payload
����{���w����|���9"��8r�H%����nQW[+�V���������/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w����|���9"��8r�H%����nQW[+�V���������/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 128,
"payload_entropy": 4.76118417945087,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "https",
"app_proto": "https",
"asn": 6939,
"country": "US",
"dst_port": 8443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046",
"event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1a6e3580215ccd0a458facebb757f8c3",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8443,
"service": "https",
"service_name": "https",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd|\u0000\u0003\ufffd9\"\u001a\ufffd8r\u0014H%\ufffd\u0004\u0015\ufffdnQW[+\u001fV\ufffd\u0015\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd|\u0000\u0003\ufffd9\"\u001a\ufffd8r\u0014H%\ufffd\u0004\u0015\ufffdnQW[+\u001fV\ufffd\u0015\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd|\u0000\u0003\ufffd9\"\u001a\ufffd8r\u0014H%\ufffd\u0004\u0015\ufffdnQW[+\u001fV\ufffd\u0015\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "78460e6a0d9e3ad2496cfd47ae90ac9a77750c4f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd|\u0000\u0003\ufffd9\"\u001a\ufffd8r\u0014H%\ufffd\u0004\u0015\ufffdnQW[+\u001fV\ufffd\u0015\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "{w\ufffd\ufffd|\ufffd9\"\ufffd8rH%\ufffd\ufffdnQW[+V\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 8443,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd|\u0000\u0003\ufffd9\"\u001a\ufffd8r\u0014H%\ufffd\u0004\u0015\ufffdnQW[+\u001fV\ufffd\u0015\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "postgres probe \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{w\ufffd\ufffd|\ufffd9\"\ufffd8rH%\ufffd\ufffdnQW[+V\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "8443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_web_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
1337 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:1337 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1337
Chemin / cible
—
Service
TLS
Payload
����{���w���VE��3��fF6��S�5���,���l��v���n�����/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w���VE��3��fF6��S�5���,���l��v���n�����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.85536688571186,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 1337,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c432e4df5b120f4201c0ee899ebb11e5a8dacff8",
"event_fingerprint": "ea76a1f72c102616c0262e9722139243ea089ced",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "d4708066463889bca406de53fe4475a9",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 1337,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdVE\u001c\ufffd3\ufffd\ufffdfF6\ufffd\ufffdS\ufffd5\ufffd\u0006\u001d,\u0011\u0010\u0011l\ufffd\ufffdv\ufffd\ufffd\ufffdn\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdVE\u001c\ufffd3\ufffd\ufffdfF6\ufffd\ufffdS\ufffd5\ufffd\u0006\u001d,\u0011\u0010\u0011l\ufffd\ufffdv\ufffd\ufffd\ufffdn\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdVE\u001c\ufffd3\ufffd\ufffdfF6\ufffd\ufffdS\ufffd5\ufffd\u0006\u001d,\u0011\u0010\u0011l\ufffd\ufffdv\ufffd\ufffd\ufffdn\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d00afcd318167593fb3b23048d40a72f5b1597c8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdVE\u001c\ufffd3\ufffd\ufffdfF6\ufffd\ufffdS\ufffd5\ufffd\u0006\u001d,\u0011\u0010\u0011l\ufffd\ufffdv\ufffd\ufffd\ufffdn\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 1337,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "{w\ufffdVE\ufffd3\ufffd\ufffdfF6\ufffd\ufffdS\ufffd5\ufffd,l\ufffd\ufffdv\ufffd\ufffd\ufffdn\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:1337 \u00b7 (sonde \/ probe)",
"target_port_label": "1337 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 1337,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdVE\u001c\ufffd3\ufffd\ufffdfF6\ufffd\ufffdS\ufffd5\ufffd\u0006\u001d,\u0011\u0010\u0011l\ufffd\ufffdv\ufffd\ufffd\ufffdn\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 1337,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:1337 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{w\ufffdVE\ufffd3\ufffd\ufffdfF6\ufffd\ufffdS\ufffd5\ufffd,l\ufffd\ufffdv\ufffd\ufffd\ufffdn\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "1337 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "1337"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
8015 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:8015 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8015
Chemin / cible
—
Service
TLS
Payload
����{���w��pO7�es�N�S�>�.ـ�}�L�;��5�l�F� ����/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��pO7�es�N�S�>�.ـ�}�L�;��5�l�F������/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.83974188571186,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 8015,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "72a7dbdba92b9b15290625e97617fb41b402fdc8",
"event_fingerprint": "08ef95151aaeead11fb2d185eba495ae13764208",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "c47d40dc74db482d20d538fdd54d805c",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8015,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003pO7\ufffdes\ufffdN\ufffdS\u0019>\ufffd.\u0640\u0011}\u0006L\ufffd;\u000e\ufffd5\ufffdl\ufffdF\u000e\f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003pO7\ufffdes\ufffdN\ufffdS\u0019>\ufffd.\u0640\u0011}\u0006L\ufffd;\u000e\ufffd5\ufffdl\ufffdF\u000e\f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003pO7\ufffdes\ufffdN\ufffdS\u0019>\ufffd.\u0640\u0011}\u0006L\ufffd;\u000e\ufffd5\ufffdl\ufffdF\u000e\f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "47211b1f4c05eded48e03c05742f161880b80430",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003pO7\ufffdes\ufffdN\ufffdS\u0019>\ufffd.\u0640\u0011}\u0006L\ufffd;\u000e\ufffd5\ufffdl\ufffdF\u000e\f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 8015,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "{wpO7\ufffdes\ufffdN\ufffdS>\ufffd.\u0640}L\ufffd;\ufffd5\ufffdl\ufffdF\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:8015 \u00b7 (sonde \/ probe)",
"target_port_label": "8015 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8015,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003pO7\ufffdes\ufffdN\ufffdS\u0019>\ufffd.\u0640\u0011}\u0006L\ufffd;\u000e\ufffd5\ufffdl\ufffdF\u000e\f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 8015,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8015 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{wpO7\ufffdes\ufffdN\ufffdS>\ufffd.\u0640}L\ufffd;\ufffd5\ufffdl\ufffdF\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "8015 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8015"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
2087 · CPANEL WHM
|
cpanel-whm
|
Sonde PostgreSQL
postgres probe · via CPANEL WHM:2087 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
CPANEL-WHM
WAF
—
Recommandation
Surveiller
Tags
cpanel_whm_emulated
cpanel_whm_payload
net_cpanel_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2087
Chemin / cible
—
Service
CPANEL WHM
Payload
����{���w��kBy�E ���6Q~�AN��fdڒ^�|3��&�i������/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��kBy�E
���6Q~�AN��fdڒ^�|3��&�i������/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 128,
"payload_entropy": 4.867162002933164,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "cpanel-whm",
"app_proto": "cpanel-whm",
"asn": 6939,
"country": "US",
"dst_port": 2087,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "51584d32aeb6bcba72953119cc78a0e0836a8f64",
"event_fingerprint": "bd94c1be47794e5b05816ea1bc287e14296ba082",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "cpanel-whm",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b7e0f3af234ca03b5a8d6f6d7446e2dd",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 2087,
"service": "cpanel-whm",
"service_name": "cpanel-whm",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003kBy\ufffdE\n\ufffd\ufffd\ufffd6Q~\ufffdAN\ufffd\ufffdfd\u0692^\ufffd|3\ufffd\u0019&\ufffdi\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003kBy\ufffdE\n\ufffd\ufffd\ufffd6Q~\ufffdAN\ufffd\ufffdfd\u0692^\ufffd|3\ufffd\u0019&\ufffdi\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003kBy\ufffdE\n\ufffd\ufffd\ufffd6Q~\ufffdAN\ufffd\ufffdfd\u0692^\ufffd|3\ufffd\u0019&\ufffdi\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "97d8cf657ada503731aa0fac263fc6ced1480303",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003kBy\ufffdE\n\ufffd\ufffd\ufffd6Q~\ufffdAN\ufffd\ufffdfd\u0692^\ufffd|3\ufffd\u0019&\ufffdi\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 2087,
"service": "cpanel-whm",
"service_label_fr": "CPANEL WHM"
},
"evidence_snippet": "{wkBy\ufffdE\n\ufffd\ufffd\ufffd6Q~\ufffdAN\ufffd\ufffdfd\u0692^\ufffd|3\ufffd&\ufffdi\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)",
"target_port_label": "2087 \u00b7 CPANEL WHM",
"emulator_service": "cpanel-whm",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "cpanel-whm",
"service_label_fr": "CPANEL WHM",
"dst_port": 2087,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel-whm",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003kBy\ufffdE\n\ufffd\ufffd\ufffd6Q~\ufffdAN\ufffd\ufffdfd\u0692^\ufffd|3\ufffd\u0019&\ufffdi\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 2087,
"service": "cpanel-whm",
"service_label_fr": "CPANEL WHM"
},
"attack_vector": "postgres probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{wkBy\ufffdE\n\ufffd\ufffd\ufffd6Q~\ufffdAN\ufffd\ufffdfd\u0692^\ufffd|3\ufffd&\ufffdi\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "2087 \u00b7 CPANEL WHM",
"emulator_service": "cpanel-whm",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel_whm",
"service_banner": "honeypot-cpanel-whm",
"service_os": "linux",
"dst_port": "2087"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_whm_emulated",
"cpanel_whm_payload",
"net_cpanel_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
1200
|
—
|
Sonde port
Sonde port · port 1200 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1200
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������
Meta JSON brut
{
"bytes_in": 7,
"payload_entropy": 1.5566567074628228,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": null,
"app_proto": null,
"asn": 6939,
"country": "US",
"dst_port": 1200,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "7b4cbf03b7a4ca4eb026d174486e1e3b356d1a4c",
"event_fingerprint": "16b3652c799a5e05693a1655b5e5f04b0e57a6e3",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e866e1d989e997db6ebf852e781b0c09",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 1200,
"risk_score": 44
},
"payload_preview": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001",
"request_sample": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001",
"payload_snippet": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001",
"evidence": {
"request_sample": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001",
"payload_snippet": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cf9b57b60bc0ece097509965bc7068def12ac18c",
"protocol_details": {
"payload_preview": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001",
"port": 1200
},
"evidence_snippet": "\ufffd\ufffd",
"attack_vector": "Sonde port \u00b7 port 1200 \u00b7 (sonde \/ probe)",
"target_port_label": "1200",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 1200,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\ufffd\ufffd\u0001\u0000\u0000\u0000\u0001",
"port": 1200
},
"attack_vector": "Sonde port \u00b7 port 1200 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd",
"target_port_label": "1200",
"emulator_service": null,
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "1200"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
631 · IPP
|
ipp
|
Scan vulnérabilités
scanner vuln · via IPP:631 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
IPP
WAF
—
Recommandation
Surveiller
Tags
mozi_pattern
net_mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
631
Chemin / cible
—
Service
IPP
Payload
POST /ipp HTTP/1.1 Host: 62.3.50.33:631 User-Agent: Mozilla/5.0 zgrab/0.x Content-Length: 143 Accept: */* Content-Type: app
Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0594
pat-0458
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
CRS 921130 duplicate CL
Kafka ApiVersions key
ET zgrab fingerprint
UA zgrab
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
POST /ipp HTTP/1.1
Host: 62.3.50.33:631
User-Agent: Mozilla/5.0 zgrab/0.x
Content-Length: 143
Accept: */*
Content-Type: app
Requête brute (extrait)
POST /ipp HTTP/1.1 Host: 62.3.50.33:631 User-Agent: Mozilla/5.0 zgrab/0.x Content-Length: 143 Accept: */* Content-Type: application/ipp Accept-Encoding: gzip ��� �����G��attributes-charset��utf-8H��attributes-natural-language��en-usE� printer-uri
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742069707020726561647920706f72743d3633310d0a",
"emulator_response_len": 33,
"bytes_in": 310,
"payload_entropy": 5.316876622670295,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "ipp",
"app_proto": "ipp",
"asn": 6939,
"country": "US",
"dst_port": 631,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 48,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "c915eb28a60b2299a9f6c12fd621db78ee325686",
"event_fingerprint": "10494905d166d137cdbac483efb99c42ee20ff9e",
"classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 108,
"precision_signals": [
"pat-0594",
"pat-0458"
],
"kb_rule_ids": [
"pat-0594",
"pat-0458"
],
"matched_patterns": [
"pat-0842",
"pat-0556",
"pat-0594",
"pat-0458",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"Kafka ApiVersions key",
"ET zgrab fingerprint",
"UA zgrab",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0842",
"pat-0556",
"pat-0594",
"pat-0458",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"classification_parent": "vuln_scanner",
"service_name": "ipp",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c98bdf7aca751434485057eecb24b3f6",
"path_pattern_hash": "b71c8aad2b015494f15e7bb035951b05"
},
"target_context": {
"dst_port": 631,
"service": "ipp",
"service_name": "ipp",
"risk_score": 48
},
"payload_preview": "POST \/ipp HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nContent-Length: 143\r\nAccept: *\/*\r\nContent-Type: app",
"request_sample": "POST \/ipp HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nContent-Length: 143\r\nAccept: *\/*\r\nContent-Type: application\/ipp\r\nAccept-Encoding: gzip\r\n\r\n\u0002\u0001\u0000\u000b\u0000\u0000\u0000\u0001\u0001G\u0000\u0012attributes-charset\u0000\u0005utf-8H\u0000\u001battributes-natural-language\u0000\u0005en-usE\u0000\u000bprinter-uri\u0000",
"payload_snippet": "POST \/ipp HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nContent-Length: 143\r\nAccept: *\/*\r\nContent-Type: app",
"evidence": {
"request_sample": "POST \/ipp HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nContent-Length: 143\r\nAccept: *\/*\r\nContent-Type: application\/ipp\r\nAccept-Encoding: gzip\r\n\r\n\u0002\u0001\u0000\u000b\u0000\u0000\u0000\u0001\u0001G\u0000\u0012attributes-charset\u0000\u0005utf-8H\u0000\u001battributes-natural-language\u0000\u0005en-usE\u0000\u000bprinter-uri\u0000",
"payload_snippet": "POST \/ipp HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nContent-Length: 143\r\nAccept: *\/*\r\nContent-Type: app",
"classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f5d5e0029d09950c4a6511aa0d5f2b36b59b5659",
"protocol_details": {
"payload_preview": "POST \/ipp HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nContent-Length: 143\r\nAccept: *\/*\r\nContent-Type: app",
"port": 631,
"service": "ipp",
"service_label_fr": "IPP"
},
"evidence_snippet": "POST \/ipp HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nContent-Length: 143\r\nAccept: *\/*\r\nContent-Type: app",
"attack_vector": "scanner vuln \u00b7 via IPP:631 \u00b7 (sonde \/ probe)",
"target_port_label": "631 \u00b7 IPP",
"emulator_service": "ipp",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ipp",
"service_label_fr": "IPP",
"dst_port": 631,
"protocol_emulated": true,
"tags_summary": [
"pat-0594",
"pat-0458"
],
"tags_summary_labels_fr": [
"pat-0594",
"pat-0458"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-ipp",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "POST \/ipp HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nContent-Length: 143\r\nAccept: *\/*\r\nContent-Type: app",
"port": 631,
"service": "ipp",
"service_label_fr": "IPP"
},
"attack_vector": "scanner vuln \u00b7 via IPP:631 \u00b7 (sonde \/ probe)",
"evidence_snippet": "POST \/ipp HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nContent-Length: 143\r\nAccept: *\/*\r\nContent-Type: app",
"target_port_label": "631 \u00b7 IPP",
"emulator_service": "ipp",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ipp",
"service_banner": "honeypot-ipp",
"service_os": "linux",
"dst_port": "631"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mozi_pattern",
"net_mozi_pattern"
]
}
|
|
|
TCP |
5902 · VNC 2
|
vnc-2
|
Sonde port 5902/TCP
port 5902 tcp · via VNC 2:5902 · (sonde / probe)
|
Élevée
|
Moyen · 41
|
|
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
VNC-2
WAF
—
Recommandation
Surveiller
Tags
net_vnc_probe
vnc_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5902
Chemin / cible
—
Preuve honeypot — Sonde port 5902/TCP
Connexion détectée sur le port 5902 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_5902_tcp » (signaux protocolaires) · confiance 69%
Confiance classification
79%
Corrélation +10
Risque capteur
Moyen
· 41
Confiance : Confiance 69 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
Tcp Vnc Auth
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "524642203030332e3030380a",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "vnc-2",
"app_proto": "vnc-2",
"asn": 6939,
"country": "US",
"dst_port": 5902,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 41,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "ed4fe55cf9b71383f61b8f50ff2387f345c04ff2",
"event_fingerprint": "e7dead7c09362c8a4cba81baa9e82f36d512e52d",
"classification_reason": "Type \u00ab port_5902_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"confidence": 0.79,
"classification_confidence": 0.79,
"precision_score": 82,
"precision_signals": [
"INT-tcp-vnc-auth"
],
"kb_rule_ids": [
"INT-tcp-vnc-auth"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 41,
"correlation_boost": 10
},
"named_classification_skipped": true,
"named_candidate": "vnc_bruteforce",
"service_name": "vnc-2",
"risk_confidence_factor": 69,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "2d19cc5560e3efa3989a62110ae7f4ae"
},
"target_context": {
"dst_port": 5902,
"service": "vnc-2",
"service_name": "vnc-2",
"risk_score": 41
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8ebcaae52f13f4e32142256f690abd6cc2f1925e",
"protocol_details": {
"port": 5902,
"service": "vnc-2",
"service_label_fr": "VNC 2"
},
"attack_vector": "port 5902 tcp \u00b7 via VNC 2:5902 \u00b7 (sonde \/ probe)",
"target_port_label": "5902 \u00b7 VNC 2",
"emulator_service": "vnc-2",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_5902_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"classification_reason_label_fr": "Type \u00ab port_5902_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100",
"confidence_pct": 79,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 41,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 41,
"risk_label": "Moyen",
"service_name": "vnc-2",
"service_label_fr": "VNC 2",
"dst_port": 5902,
"protocol_emulated": true,
"tags_summary": [
"INT-tcp-vnc-auth"
],
"tags_summary_labels_fr": [
"Tcp Vnc Auth"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-vnc-2",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"port": 5902,
"service": "vnc-2",
"service_label_fr": "VNC 2"
},
"attack_vector": "port 5902 tcp \u00b7 via VNC 2:5902 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "5902 \u00b7 VNC 2",
"emulator_service": "vnc-2",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (64.62.156.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "vnc_2",
"service_banner": "honeypot-vnc-2",
"service_os": "linux",
"dst_port": "5902"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "64.62.156.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_vnc_probe",
"vnc_emulated"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde PostgreSQL
postgres probe · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
����{���w�� P\�>~��[�=�SzU|���fٴ�M���l�X9C����/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w���P\�>~��[�=�SzU|���fٴ�M���l�X9C����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 128,
"payload_entropy": 4.888684561543816,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 6939,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "f1e3f6c4032e00ba676fd80a6ca9708e04a4c2a8",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f45e33d07a0f81c99f9ef46720d6c8c1",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u000bP\\\ufffd>~\u001e\ufffd[\ufffd=\ufffdSzU|\u0004\ufffd\ufffdf\u0674\ufffdM\ufffd\ufffd\ufffdl\ufffdX9C\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u000bP\\\ufffd>~\u001e\ufffd[\ufffd=\ufffdSzU|\u0004\ufffd\ufffdf\u0674\ufffdM\ufffd\ufffd\ufffdl\ufffdX9C\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u000bP\\\ufffd>~\u001e\ufffd[\ufffd=\ufffdSzU|\u0004\ufffd\ufffdf\u0674\ufffdM\ufffd\ufffd\ufffdl\ufffdX9C\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "92cc877dd880fabea507af6ce028a1176fb078e2",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u000bP\\\ufffd>~\u001e\ufffd[\ufffd=\ufffdSzU|\u0004\ufffd\ufffdf\u0674\ufffdM\ufffd\ufffd\ufffdl\ufffdX9C\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "{wP\\\ufffd>~\ufffd[\ufffd=\ufffdSzU|\ufffd\ufffdf\u0674\ufffdM\ufffd\ufffd\ufffdl\ufffdX9C\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u000bP\\\ufffd>~\u001e\ufffd[\ufffd=\ufffdSzU|\u0004\ufffd\ufffdf\u0674\ufffdM\ufffd\ufffd\ufffdl\ufffdX9C\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{wP\\\ufffd>~\ufffd[\ufffd=\ufffdSzU|\ufffd\ufffdf\u0674\ufffdM\ufffd\ufffd\ufffdl\ufffdX9C\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
502 · MODBUS
|
modbus
|
modbus probe
modbus probe · via MODBUS:502 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T0836
TA0007
TA0001
Protocole
Émulateur
MODBUS
WAF
—
Recommandation
Surveiller
Tags
modbus_emulated
net_modbus_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
502
Chemin / cible
—
Service
MODBUS
Payload
ZG�����+���
Pourquoi cette classification : Type « modbus_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Ot Modbus Write
Ot Modbus Write Fc
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
ZG�����+��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "008302",
"emulator_response_len": 3,
"bytes_in": 11,
"payload_entropy": 2.4040097573248604,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "modbus",
"app_proto": "modbus",
"asn": 6939,
"country": "US",
"dst_port": 502,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0
},
"risk_score": 38,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "1df3a12ec0dbfaa23bb48ea99bf5912c8211349a",
"event_fingerprint": "6d0162aa5da47aba819045594f50c8c385e15712",
"classification_reason": "Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 161,
"precision_signals": [
"INT-OT-modbus-write",
"INT-OT-modbus-write-fc",
"INT-upstream"
],
"kb_rule_ids": [
"INT-OT-modbus-write",
"INT-OT-modbus-write-fc",
"INT-upstream"
],
"matched_patterns": [
"pat-0554"
],
"matched_pattern_names": [
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0,
"risk_score": 38,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "modbus",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "50a8707b6614ee00fe982271b4b17fce",
"path_pattern_hash": "8ae4962b81dca47862d9dd3befc69030"
},
"target_context": {
"dst_port": 502,
"service": "modbus",
"service_name": "modbus",
"risk_score": 38
},
"payload_preview": "ZG\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000",
"request_sample": "ZG\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000",
"payload_snippet": "ZG\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000",
"evidence": {
"request_sample": "ZG\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000",
"payload_snippet": "ZG\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000",
"classification_reason": "Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T0836"
],
"mitre": "T0836",
"threat_family": [
"ics_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "811516863b42c80c2f061991ac3cd779c3ed9335",
"protocol_details": {
"modbus_probe_fr": "Sonde protocole Modbus TCP (port 502)",
"payload_preview": "ZG\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000",
"port": 502,
"service": "modbus",
"service_label_fr": "MODBUS"
},
"evidence_snippet": "ZG+",
"attack_vector": "modbus probe \u00b7 via MODBUS:502 \u00b7 (sonde \/ probe)",
"target_port_label": "502 \u00b7 MODBUS",
"emulator_service": "modbus",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0,
"risk_score": 38,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "modbus",
"service_label_fr": "MODBUS",
"dst_port": 502,
"protocol_emulated": true,
"tags_summary": [
"INT-OT-modbus-write",
"INT-OT-modbus-write-fc",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Ot Modbus Write",
"Ot Modbus Write Fc",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T0836",
"mitre_technique": "T0836",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "Modbus TCP",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"modbus_probe_fr": "Sonde protocole Modbus TCP (port 502)",
"payload_preview": "ZG\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000",
"port": 502,
"service": "modbus",
"service_label_fr": "MODBUS"
},
"attack_vector": "modbus probe \u00b7 via MODBUS:502 \u00b7 (sonde \/ probe)",
"evidence_snippet": "ZG+",
"target_port_label": "502 \u00b7 MODBUS",
"emulator_service": "modbus",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "modbus",
"service_banner": "Modbus TCP",
"service_os": "plc",
"dst_port": "502"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"modbus",
"port:20256"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"modbus_emulated",
"net_modbus_probe"
]
}
|
|
|
TCP |
20256
|
—
|
Sonde port
Sonde port · port 20256 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
20256
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
60%
Corrélation +10
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
PVe���/00IDED
Meta JSON brut
{
"bytes_in": 14,
"payload_entropy": 3.378783493486176,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": null,
"app_proto": null,
"asn": 6939,
"country": "US",
"dst_port": 20256,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "ee5415bf160646f2a7333b36e4123bd316165308",
"event_fingerprint": "c2c43719be593f3ab3360773f7c6c167181e64cd",
"classification_confidence": 0.6,
"confidence": 0.6,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 10
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f36b147ba5e11fa804223cb5b5d1bd77",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 20256,
"risk_score": 44
},
"payload_preview": "PVe\u0000\b\u0000\/00IDED\r",
"request_sample": "PVe\u0000\b\u0000\/00IDED\r",
"payload_snippet": "PVe\u0000\b\u0000\/00IDED",
"evidence": {
"request_sample": "PVe\u0000\b\u0000\/00IDED\r",
"payload_snippet": "PVe\u0000\b\u0000\/00IDED",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e5cfaa90b6c709cedf375160fb78e6a7c29436eb",
"protocol_details": {
"payload_preview": "PVe\u0000\b\u0000\/00IDED",
"port": 20256
},
"evidence_snippet": "PVe\/00IDED",
"attack_vector": "Sonde port \u00b7 port 20256 \u00b7 (sonde \/ probe)",
"target_port_label": "20256",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 60,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 20256,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"payload_preview": "PVe\u0000\b\u0000\/00IDED",
"port": 20256
},
"attack_vector": "Sonde port \u00b7 port 20256 \u00b7 (sonde \/ probe)",
"evidence_snippet": "PVe\/00IDED",
"target_port_label": "20256",
"emulator_service": null,
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (64.62.156.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "20256"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "64.62.156.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
789 · PROFINET
|
profinet
|
profinet probe
profinet probe · via PROFINET:789 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
PROFINET
WAF
—
Recommandation
Surveiller
Tags
net_profinet_probe
profinet_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
789
Chemin / cible
—
Service
PROFINET
Payload
���+��
Pourquoi cette classification : Type « profinet_probe » (signaux protocolaires) · confiance 79%
Confiance classification
79%
Risque capteur
Faible
· 33
Confiance : Confiance 79 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
Ot Profinet Dcp Get
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "feff02050000000000000000",
"emulator_response_len": 12,
"bytes_in": 6,
"payload_entropy": 2.2516291673878226,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "profinet",
"app_proto": "profinet",
"asn": 6939,
"country": "US",
"dst_port": 789,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "4961decd6327f18de006698db9ac6383131d39f8",
"event_fingerprint": "239045c8df466e0c943197e99d0bbe609ca22afe",
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"confidence": 0.79,
"classification_confidence": 0.79,
"precision_score": 89,
"precision_signals": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"kb_rule_ids": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"matched_patterns": [
"pat-0554"
],
"matched_pattern_names": [
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "profinet",
"risk_confidence_factor": 79,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ccab9ae05a0357f74b571c28d4cfb21f",
"path_pattern_hash": "91a3874ab1b56c7604b2303ecb7824d0"
},
"target_context": {
"dst_port": 789,
"service": "profinet",
"service_name": "profinet",
"risk_score": 33
},
"payload_preview": "\u0000\u0004\u0001+\u001b\u0000",
"request_sample": "\u0000\u0004\u0001+\u001b\u0000",
"payload_snippet": "\u0000\u0004\u0001+\u001b\u0000",
"evidence": {
"request_sample": "\u0000\u0004\u0001+\u001b\u0000",
"payload_snippet": "\u0000\u0004\u0001+\u001b\u0000",
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"ics_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "81b6552cbc5c13c57e9972e37eff8f6a3d6bdfb9",
"protocol_details": {
"payload_preview": "\u0000\u0004\u0001+\u001b\u0000",
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"evidence_snippet": "+",
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"classification_reason_label_fr": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 79,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "profinet",
"service_label_fr": "PROFINET",
"dst_port": 789,
"protocol_emulated": true,
"tags_summary": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Ot Profinet Dcp Get",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-profinet",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0004\u0001+\u001b\u0000",
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"evidence_snippet": "+",
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "profinet",
"service_banner": "honeypot-profinet",
"service_os": "linux",
"dst_port": "789"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_profinet_probe",
"profinet_emulated"
]
}
|
|
|
TCP |
12443 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:12443 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
12443
Chemin / cible
—
Service
TLS
Payload
����{���w������ޠԑ��%�_p|�����K�}ץ��`�W� ����/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w������ޠԑ��%�_p|�����K�}ץ��`�W� ����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.883567201918398,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 12443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "1f6ba67d027b9c1d3f7bc207c9b1ae8a07371fa7",
"event_fingerprint": "36c198dcd21a6679ffec5b0bc88d8a1177acd701",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "c24604bc356d78d97f0d2a1dc0eb2561",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 12443,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\ufffd\u07a0\u0511\ufffd\ufffd%\ufffd_p|\ufffd\ufffd\ufffd\u0003\ufffdK\ufffd}\u05e5\ufffd\ufffd`\ufffdW\ufffd \u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\ufffd\u07a0\u0511\ufffd\ufffd%\ufffd_p|\ufffd\ufffd\ufffd\u0003\ufffdK\ufffd}\u05e5\ufffd\ufffd`\ufffdW\ufffd \u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\ufffd\u07a0\u0511\ufffd\ufffd%\ufffd_p|\ufffd\ufffd\ufffd\u0003\ufffdK\ufffd}\u05e5\ufffd\ufffd`\ufffdW\ufffd \u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "33ac80c1855a021d6e2941afe66394c6c177cc13",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\ufffd\u07a0\u0511\ufffd\ufffd%\ufffd_p|\ufffd\ufffd\ufffd\u0003\ufffdK\ufffd}\u05e5\ufffd\ufffd`\ufffdW\ufffd \u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 12443,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "{w\ufffd\ufffd\ufffd\ufffd\u07a0\u0511\ufffd\ufffd%\ufffd_p|\ufffd\ufffd\ufffd\ufffdK\ufffd}\u05e5\ufffd\ufffd`\ufffdW\ufffd \ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:12443 \u00b7 (sonde \/ probe)",
"target_port_label": "12443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 12443,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\ufffd\u07a0\u0511\ufffd\ufffd%\ufffd_p|\ufffd\ufffd\ufffd\u0003\ufffdK\ufffd}\u05e5\ufffd\ufffd`\ufffdW\ufffd \u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 12443,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:12443 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{w\ufffd\ufffd\ufffd\ufffd\u07a0\u0511\ufffd\ufffd%\ufffd_p|\ufffd\ufffd\ufffd\ufffdK\ufffd}\u05e5\ufffd\ufffd`\ufffdW\ufffd \ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "12443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "12443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
5938
|
—
|
Sonde port
Sonde port · port 5938 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5938
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0768
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 9,
"payload_entropy": 1.879964948727111,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": null,
"app_proto": null,
"asn": 6939,
"country": "US",
"dst_port": 5938,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "d5ab86c9d3a3a81ae41c08870db3859c85ce9275",
"event_fingerprint": "27715cc4803f21ba2823cf3312ba7992ed796384",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0768"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6117bfa20bfb25db4720d8ec95b113e3",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 5938,
"risk_score": 44
},
"payload_preview": "\u0017$\u0010\u0004\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\u0017$\u0010\u0004\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0017$\u0010\u0004\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0017$\u0010\u0004\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0017$\u0010\u0004\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "29f6ed67d1104e7c5be5fcdecb9f597319eb9f37",
"protocol_details": {
"payload_preview": "\u0017$\u0010\u0004\u0000\u0000\u0000\u0000\u0000",
"port": 5938
},
"evidence_snippet": "$",
"attack_vector": "Sonde port \u00b7 port 5938 \u00b7 (sonde \/ probe)",
"target_port_label": "5938",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 5938,
"protocol_emulated": null,
"tags_summary": [
"pat-0768"
],
"tags_summary_labels_fr": [
"pat-0768"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0017$\u0010\u0004\u0000\u0000\u0000\u0000\u0000",
"port": 5938
},
"attack_vector": "Sonde port \u00b7 port 5938 \u00b7 (sonde \/ probe)",
"evidence_snippet": "$",
"target_port_label": "5938",
"emulator_service": null,
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "5938"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
6000
|
—
|
Sonde port
Sonde port · port 6000 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
6000
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": null,
"app_proto": null,
"asn": 6939,
"country": "US",
"dst_port": 6000,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "5c8df6f4eabf9d7af3f3ecf6c7cf512e0b981324",
"event_fingerprint": "ee4840953fa1cc900d65a98f0af258a8aa6cd646",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 6000,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d2936c8ba6703a2374942872f8741d9affb522b2",
"protocol_details": {
"port": 6000
},
"attack_vector": "Sonde port \u00b7 port 6000 \u00b7 (sonde \/ probe)",
"target_port_label": "6000",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 6000,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 6000
},
"attack_vector": "Sonde port \u00b7 port 6000 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "6000",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "6000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
23 · Telnet
|
telnet
|
Sonde port 23/TCP
port 23 tcp · via Telnet:23 · (sonde / probe)
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
TELNET
WAF
—
Recommandation
Surveiller
Tags
net_telnet_probe
telnet_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
23
Chemin / cible
—
Preuve honeypot — Sonde port 23/TCP
Connexion détectée sur le port 23 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_23_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Moyen
· 42
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20",
"emulator_response_len": 45,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "telnet",
"app_proto": "telnet",
"asn": 6939,
"country": "US",
"dst_port": 23,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "ee98e358747c5d752a0eb3d3b34c59d0ffe7f883",
"event_fingerprint": "79b983d64b1c5573cc70fb9163374500a6810d67",
"classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0,
"risk_score": 42
},
"named_classification_skipped": true,
"named_candidate": "telnet_probe",
"service_name": "telnet",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "2bb94c377622e6c9a2e704e9148568af"
},
"target_context": {
"dst_port": 23,
"service": "telnet",
"service_name": "telnet",
"risk_score": 42
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "375a927bb9bbd2eb33edd9b4264c0c0b9afc3f8d",
"protocol_details": {
"port": 23,
"service": "telnet",
"service_label_fr": "Telnet"
},
"attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)",
"target_port_label": "23 \u00b7 Telnet",
"emulator_service": "telnet",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_23_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0,
"risk_score": 42
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "telnet",
"service_label_fr": "Telnet",
"dst_port": 23,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-telnet",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 23,
"service": "telnet",
"service_label_fr": "Telnet"
},
"attack_vector": "port 23 tcp \u00b7 via Telnet:23 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "23 \u00b7 Telnet",
"emulator_service": "telnet",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "telnet",
"service_banner": "honeypot-telnet",
"service_os": "linux",
"dst_port": "23"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_telnet_probe",
"telnet_emulated"
]
}
|
|
|
TCP |
8001 · HTTP ALT 8001
|
http-alt-8001
|
http-alt-8001
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8001
Chemin / cible
—
Pourquoi cette classification : Type « http-alt-8001 » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http-alt-8001",
"app_proto": "http-alt-8001",
"asn": 6939,
"country": "US",
"dst_port": 8001,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 0.5,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "e1b4b218a2ce3255af287d227584f045b97adf65",
"event_fingerprint": "049aef23df13456d89de208b1ad1953cb38ace86",
"classification_reason": "Type \u00ab http-alt-8001 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "http-alt-8001",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "9c5260292de253ed938f4ca5928a2933"
},
"target_context": {
"dst_port": 8001,
"service": "http-alt-8001",
"service_name": "http-alt-8001",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "74387838a986846c7ad6ad3f688dc566b7b6a4cb",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http-alt-8001 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab http-alt-8001 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "http-alt-8001",
"service_label_fr": "HTTP ALT 8001",
"dst_port": 8001,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8001",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8001",
"service_banner": "honeypot-http-alt-8001",
"service_os": "linux",
"dst_port": "8001"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
811 · TLS
|
tls
|
Sonde PostgreSQL
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
811
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w������tb������{g?�ٵ���$��g,����������/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.783919643307746,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 811,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8aeb81ecd8467e586dbcfea2b9ab4035b1f8c86f",
"event_fingerprint": "1e1cb2ec6f529705c1f04209ea12a685092bc953",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "ec7b4c162f4e4d81a46906e48afa8beb",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e"
},
"target_context": {
"dst_port": 811,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0017\ufffd\u000e\ufffdtb\ufffd\ufffd\u0017\u0003\ufffd\u000f{g?\ufffd\u0675\ufffd\u0010\ufffd$\ufffd\ufffdg,\u001d\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0017\ufffd\u000e\ufffdtb\ufffd\ufffd\u0017\u0003\ufffd\u000f{g?\ufffd\u0675\ufffd\u0010\ufffd$\ufffd\ufffdg,\u001d\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0017\ufffd\u000e\ufffdtb\ufffd\ufffd\u0017\u0003\ufffd\u000f{g?\ufffd\u0675\ufffd\u0010\ufffd$\ufffd\ufffdg,\u001d\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0017\ufffd\u000e\ufffdtb\ufffd\ufffd\u0017\u0003\ufffd\u000f{g?\ufffd\u0675\ufffd\u0010\ufffd$\ufffd\ufffdg,\u001d\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0017\ufffd\u000e\ufffdtb\ufffd\ufffd\u0017\u0003\ufffd\u000f{g?\ufffd\u0675\ufffd\u0010\ufffd$\ufffd\ufffdg,\u001d\ufffd\ufffd\u0015\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c35d9f89c419514c6514c0f2f13e282b1c1c5def",
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "811"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
5443 · TLS
|
tls
|
Sonde PostgreSQL
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5443
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w���ݾt�E]r/���B%����J�5��r��ӹ�����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.811108863244334,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 5443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "38f4503bf18c3e5e5b8d3cb7e422a4dd8bfca84f",
"event_fingerprint": "3a8cd985a505433b936eaf5ee1545792f66b62d8",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "955ee0c7ee7854533a1d88a3ef53597b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e"
},
"target_context": {
"dst_port": 5443,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u077et\ufffdE\u07fc]r\/\ufffd\ufffd\ufffdB%\u0000\ufffd\ufffd\u0016J\ufffd5\ufffd\ufffdr\u0010\ufffd\u04f9\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u077et\ufffdE\u07fc]r\/\ufffd\ufffd\ufffdB%\u0000\ufffd\ufffd\u0016J\ufffd5\ufffd\ufffdr\u0010\ufffd\u04f9\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u077et\ufffdE\u07fc]r\/\ufffd\ufffd\ufffdB%\u0000\ufffd\ufffd\u0016J\ufffd5\ufffd\ufffdr\u0010\ufffd\u04f9\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u077et\ufffdE\u07fc]r\/\ufffd\ufffd\ufffdB%\u0000\ufffd\ufffd\u0016J\ufffd5\ufffd\ufffdr\u0010\ufffd\u04f9\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u077et\ufffdE\u07fc]r\/\ufffd\ufffd\ufffdB%\u0000\ufffd\ufffd\u0016J\ufffd5\ufffd\ufffdr\u0010\ufffd\u04f9\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7e316f8f0d3924659c6ed6191d7740e1257da055",
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
85 · HTTP
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 47
|
|
Étape
Tentative d'exploit
Corrélations
Scan coordonné
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
85
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
72%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:85
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:85 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "1e87ffea5654101b4de6efaf2d6659424d4315d1",
"http_host_hash": "29631142709d39bee607e41cbb81ae54d3741f51",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 169,
"payload_entropy": 5.2360342832734466,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 85,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 47,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ed68869cc48bf61ae29e66092ad3920f57be3e81",
"event_fingerprint": "ea5e21d2efaa0f434d9ef1e584c6ff6aec043051",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.72,
"classification_confidence": 0.72,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ad82fd5622889299602e148bf3c011b2",
"payload_hash": "7ed836519fd100efe8c439721fbfab45",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 85,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "56a7a26e3f91c61a296eba6735cb851460686e74",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "85"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "64.62.156.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "exploit_attempt",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
20020 · HTTP
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 47
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20020
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:20020
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:20020 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "1699bf2ce167864613b21b76d7cdfe72d7a3ee77",
"http_host_hash": "7c910635ebdd2ec7a02b91e4a18506786608faa0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 170,
"payload_entropy": 5.2820319769608615,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 20020,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 47,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "5499ff8e00257e51ca6ae101648d99dfeec1e7ee",
"event_fingerprint": "5174ed0b0b3270d60847d066caeccc9e259c3941",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a9b04eae5d7849b602d5e5f0267ee823",
"payload_hash": "10114b92796c1bc7f95390f433f10c8a",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 20020,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f68e5cc01dfd30b0b4db1cdc61d011cb5391798e",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "20020"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploit_attempt",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
808 · HTTP
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 43
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
808
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:808
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:808 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "76e810ba11beffca21af36284af8f7c4cbad704b",
"http_host_hash": "5ff341c6c9fd5ee9340b3a8d5d6696bdd61a3b19",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 168,
"payload_entropy": 5.300224695183652,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 808,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 43,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c3b62219943f90d28418a565d1abb5e4c1f44e2e",
"event_fingerprint": "52e3c9ccd2494e74559049ebe4c06c78dc91411e",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "2eede17756369e2b2c066e6901da1775",
"payload_hash": "b4ebb06da5d3aa22dba2bdc8cf865ed5",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 808,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko\/20100101 Firefox\/123.0",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko\/20100101 Firefox\/123.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko\/20100101 Firefox\/123.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko\/20100101 Firefox\/123.0",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko\/20100101 Firefox\/123.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko\/20100101 Firefox\/123.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:123.0) Gecko\/20100101 Firefox\/123.0",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "58f672f41cfd93b7b8029f9d0e3a9996601bfe69",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "808"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploit_attempt",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
8443
|
https
|
Sonde PostgreSQL
|
Élevée
|
Faible · 15
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_web_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8443
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��U��{�JӁ����$�������vΡ��QW�ߦ�����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 128,
"payload_entropy": 4.832631421854986,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "https",
"app_proto": "https",
"asn": 6939,
"country": "US",
"dst_port": 8443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 15,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046",
"event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0c1dcf794c3a8ca1d9d8538814e6350e",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 8443,
"service": "https"
},
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003U\ufffd\ufffd{\ufffdJ\u04c1\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000v\u03a1\ufffd\ufffdQW\u001f\u07e6\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003U\ufffd\ufffd{\ufffdJ\u04c1\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000v\u03a1\ufffd\ufffdQW\u001f\u07e6\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003U\ufffd\ufffd{\ufffdJ\u04c1\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000v\u03a1\ufffd\ufffdQW\u001f\u07e6\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003U\ufffd\ufffd{\ufffdJ\u04c1\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000v\u03a1\ufffd\ufffdQW\u001f\u07e6\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003U\ufffd\ufffd{\ufffdJ\u04c1\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000v\u03a1\ufffd\ufffdQW\u001f\u07e6\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ade2ea1c83657e8fe5fbec917f7a016437547c41",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_web_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
11453
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 45
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
11453
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 OPR/94.0.0.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:11453
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:11453 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 OPR/94.0.0.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "61885709713115f1b4bacae72cebb1d68a36adba",
"http_host_hash": "3ab9146a8be781e88befb03410628933414eaa92",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 216,
"payload_entropy": 5.410950580365168,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 11453,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8fb8362585ded217975079df361c9bc83ed5f0ba",
"event_fingerprint": "a28b01b1ee3e7c2c7dd41b62ed37c9d2bf288e02",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4e0cc9dbc3fd99f88e216b06a88c1a16",
"payload_hash": "f204454a3e8da0620810191d3af43c8a",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 11453,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36 OPR\/94.0.0.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36 OPR\/94.0.0.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36 OPR\/94.0.0.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36 OPR\/94.0.0.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a0bc44ac5227c8bba1b65b31c84ebd1f2455354a",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
14443
|
tls
|
Sonde PostgreSQL
|
Élevée
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
14443
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��E��6X�y����&+�-�2BI{��@E���������/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.835912002933164,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 14443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "1f790bde12b83724b98785d5b8fb40e3902abc19",
"event_fingerprint": "b0469780909c94d5d8e13edaef9c9e479df59dc8",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "48d7f5b9f3a9f45a0068e77528ea181b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 14443,
"service": "tls"
},
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\b\ufffd6X\ufffdy\ufffd\ufffd\ufffd\ufffd&+\ufffd-\ufffd2BI{\ufffd\ufffd@E\ufffd\u0014\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\b\ufffd6X\ufffdy\ufffd\ufffd\ufffd\ufffd&+\ufffd-\ufffd2BI{\ufffd\ufffd@E\ufffd\u0014\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\b\ufffd6X\ufffdy\ufffd\ufffd\ufffd\ufffd&+\ufffd-\ufffd2BI{\ufffd\ufffd@E\ufffd\u0014\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\b\ufffd6X\ufffdy\ufffd\ufffd\ufffd\ufffd&+\ufffd-\ufffd2BI{\ufffd\ufffd@E\ufffd\u0014\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\b\ufffd6X\ufffdy\ufffd\ufffd\ufffd\ufffd&+\ufffd-\ufffd2BI{\ufffd\ufffd@E\ufffd\u0014\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9ca4af434a0bd040fbc69435cf63ac7136931a1d",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
8081
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8081
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 OPR/95.0.0.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 OPR/95.0.0.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "78ddc17af207f26ad6341d21c42d503e717dc1a2",
"http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 215,
"payload_entropy": 5.417925281047183,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 8081,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d6e8827ceea05fd8f99d65de9db503cd2763048",
"event_fingerprint": "e655cce1d5fb43c4d97a30acd0b655feb29cad21",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "eadc58500151636864941ac7b884acab",
"payload_hash": "be3655d204f8b1dd44fb43af04eee916",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8081,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.0.0 Safari\/537.36 OPR\/95.0.0.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.0.0 Safari\/537.36 OPR\/95.0.0.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.0.0 Safari\/537.36 OPR\/95.0.0.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.0.0 Safari\/537.36 OPR\/95.0.0.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "19e4bdb2cd9daf962c8c2ade5630dc821654f034",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
1337
|
ssh
|
Sonde SSH
|
Élevée
|
Faible · 11
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1337
Chemin / cible
—
Confiance classification
68%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-Go
Meta JSON brut
{
"bytes_in": 12,
"payload_entropy": 3.2516291673878226,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "ssh",
"app_proto": "ssh",
"asn": 6939,
"country": "US",
"dst_port": 1337,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 11,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "ef24d368f159022f5481de2782be68c084e8a8ed",
"event_fingerprint": "6113ffac56a31cde3a01b38f7d6417ad5f5e5782",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e9e55307b9c6c1bf5bae2abdb628281d",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 1337,
"service": "ssh"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.68,
"classification_confidence": 0.68,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "SSH-2.0-Go\r\n",
"event_signature": "3e024709ce9e952d959dceee7a5ebaa8c76ca9b4",
"ban_policy": "advisory_monitor",
"tags_list": [
"ssh_banner"
]
}
|
|
|
TCP |
500
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
500
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "772d2e5ccb491d01f46e935d68e3d3cdcb06123e",
"http_host_hash": "bdf99e699f1c4e2e2695d8cdc97bc098e338cd8b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 160,
"payload_entropy": 5.2697636455655426,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "7c43ce2d07dded2145b77f51304d7790fd88697b",
"event_fingerprint": "66c66d0419711de90d8b5275f460918f08364b89",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
449
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
9200
|
tls
|
Sonde TLS
|
Élevée
|
Élevé · 81
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
30005
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30005
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "29eb7064ac60b6748d87727e5ef8f5ef636716fb",
"http_host_hash": "35199aec1f494705c37d247e1616159f8ad2f9f2",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 203,
"payload_entropy": 5.3716852682688865,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "e1c62bc8eb6dd1ee3fbc06d7db79df125dbfaabf",
"event_fingerprint": "c39fcab651edf9ff48e0ed96197416f48b5cf734",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
6516
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
3389
|
rdp
|
rdp attack
|
Élevée
|
Élevé · 72
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
6161
|
—
|
Sonde port
|
Faible
|
Faible · 5
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
7900
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5002
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
9443
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8888
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8888
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "86f09316f9133f31babb88b8a4e3cc87d23adaca",
"http_host_hash": "25a58e7d7f0ed40aadf0d51b038172ea9ccc8435",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.2415494503415845,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "a7a08208134adafac3126e580d2bc0b22f0c1f34",
"event_fingerprint": "36f19c924c6f466935adb9e91d07b867f7310dd4",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
548
|
afp
|
afp
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
500
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8030
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5988
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5988
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6befef60a2383c468a0dc43eb9fa222cafd7a552",
"http_host_hash": "1e24201bf52779e8f84d5915ca7d65a510cbc1a5",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.307425865849575,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "36b23628abf464c3fe481bc9a4062d74fcb362e8",
"event_fingerprint": "5dbf238213f344ff4b64567f1592ccb60dd52d63",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
808
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
808
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 OPR/108.0.0.0
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "fb99546d153e45c3c498353b7103de2866a4cc10",
"http_host_hash": "5ff341c6c9fd5ee9340b3a8d5d6696bdd61a3b19",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 215,
"payload_entropy": 5.409087446024438,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "e90a69c72f94a667878ee7bbd4835188e4102d55",
"event_fingerprint": "4739263e99f05c0436f984d348b3d933660e9301",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5900
|
vnc
|
vnc attack
|
Élevée
|
Élevé · 72
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
30005
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30005
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.85 Safari/537.36 OPR/80.0.4170.72
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "97c43e79974f1807fdab2cb10ef0ebe0080fadb8",
"http_host_hash": "35199aec1f494705c37d247e1616159f8ad2f9f2",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 213,
"payload_entropy": 5.46701463850376,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "e1c62bc8eb6dd1ee3fbc06d7db79df125dbfaabf",
"event_fingerprint": "c39fcab651edf9ff48e0ed96197416f48b5cf734",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
801
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
801
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 YaBrowser/24.1.0.0 Safari/537.36
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "be92d196992071c843b746290289133afa844cfb",
"http_host_hash": "7fcf178b2cbd7428736dd988ee2cc7c3810d4aa7",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 226,
"payload_entropy": 5.420584292116164,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "1d33457d9fecdd2d5226c05f0ab488c2d75d46dc",
"event_fingerprint": "adc3cfe928cb8d3d0cd29a6d500abf89f9130b7a",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
3389
|
rdp
|
rdp attack
|
Élevée
|
Élevé · 72
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
27017
|
mongodb
|
Sonde MongoDB
|
Élevée
|
Élevé · 74
|
|
Étape
—
WAF
—
Recommandation
—
Tags
mongodb_enum_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|