|
|
TCP |
82 · HTTP
|
http
|
SSRF interne
ssrf internal · via HTTP:82 · (tentative d'exploit)
|
Élevée
|
Moyen · 48
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
82
Chemin / cible
/
Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54%
Confiance classification
54%
Risque capteur
Moyen
· 48
Confiance : Confiance 54 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
CRS-920350
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.50
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:82
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.50 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "2c4ecd7a2ef5387fbf9ac3f62cdd576556faa53e",
"http_host_hash": "b00c56701bd04898edc8a488547d32d613363649",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 218,
"payload_entropy": 5.374413709672675,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 82,
"risk_waf": 72,
"risk_classification": 80,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "39b03ee81ef13b98c0af55c09e73d3c33a944deb",
"event_fingerprint": "99d1fa91829a98776d27b93154df102b814f8f2d",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"confidence": 0.54,
"classification_confidence": 0.54,
"precision_score": 64,
"precision_signals": [
"CRS-920350"
],
"kb_rule_ids": [
"CRS-920350"
],
"matched_patterns": [
"pat-0324"
],
"matched_pattern_names": [
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"classification_parent": "ssrf_attack",
"service_name": "http",
"risk_confidence_factor": 54,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "594907ec90454a1b31b771079e6ce7a5",
"payload_hash": "b8470733af3e7f27d0a67f6d591880a7",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 82,
"service": "http",
"service_name": "http",
"risk_score": 48
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.50",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.50\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.50",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.50\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8601f4baaeccf691136fdfa95360374483f72274",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110\u2026",
"port": 82,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"attack_vector": "ssrf internal \u00b7 via HTTP:82 \u00b7 (tentative d'exploit)",
"target_port_label": "82 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 54 % \u2014 via HTTP",
"confidence_pct": 54,
"confidence_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 82,
"protocol_emulated": null,
"tags_summary": [
"CRS-920350"
],
"tags_summary_labels_fr": [
"CRS-920350"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110\u2026",
"port": 82,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "ssrf internal \u00b7 via HTTP:82 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"target_port_label": "82 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 54 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "82"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
444 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:444 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
444
Chemin / cible
—
Service
TLS
Payload
����{���w��0��A����)~�2Vf+���JmEz�"Gת��������/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��0��A����)~�2Vf+���JmEz�"Gת��������/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.876889444322512,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 444,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "9bff362b5e4b1fc54e3e921cb3112e46219b6d26",
"event_fingerprint": "8b40a48bc548893c3713866ab0b49b15cee7f8a7",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "3364b0c06d41e155241b7d96611f499b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 444,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u00030\ufffd\ufffdA\ufffd\u0018\u0010\ufffd)~\ufffd2Vf+\ufffd\ufffd\u001cJmEz\ufffd\"G\u05ea\u001e\u0006\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u00030\ufffd\ufffdA\ufffd\u0018\u0010\ufffd)~\ufffd2Vf+\ufffd\ufffd\u001cJmEz\ufffd\"G\u05ea\u001e\u0006\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u00030\ufffd\ufffdA\ufffd\u0018\u0010\ufffd)~\ufffd2Vf+\ufffd\ufffd\u001cJmEz\ufffd\"G\u05ea\u001e\u0006\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ee9e1d88e3530ceebd7b442f3ecf222c4f00d4f1",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u00030\ufffd\ufffdA\ufffd\u0018\u0010\ufffd)~\ufffd2Vf+\ufffd\ufffd\u001cJmEz\ufffd\"G\u05ea\u001e\u0006\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 444,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "{w0\ufffd\ufffdA\ufffd\ufffd)~\ufffd2Vf+\ufffd\ufffdJmEz\ufffd\"G\u05ea\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:444 \u00b7 (sonde \/ probe)",
"target_port_label": "444 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 444,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u00030\ufffd\ufffdA\ufffd\u0018\u0010\ufffd)~\ufffd2Vf+\ufffd\ufffd\u001cJmEz\ufffd\"G\u05ea\u001e\u0006\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 444,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:444 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{w0\ufffd\ufffdA\ufffd\ufffd)~\ufffd2Vf+\ufffd\ufffdJmEz\ufffd\"G\u05ea\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "444 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "444"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
1962 · OPCUA
|
opcua
|
Sonde OPC-UA
opcua probe · via OPCUA:1962 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
OPCUA
WAF
—
Recommandation
Surveiller
Tags
net_opcua_probe
opcua_emulated
opcua_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1962
Chemin / cible
—
Service
OPCUA
Payload
��������x���� IBETH01N0_M�
Pourquoi cette classification : Type « opcua_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0577
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������x�����IBETH01N0_M
Meta JSON brut
{
"protocol_emulated": true,
"bytes_in": 26,
"payload_entropy": 3.6235166412180138,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "opcua",
"app_proto": "opcua",
"asn": 6939,
"country": "US",
"dst_port": 1962,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b77418521b9fbaa455593ce59f00d277390a8514",
"event_fingerprint": "77d4f06fada296e8a13c68586eb11d683ca37590",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0577"
],
"classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"service_name": "opcua",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b7348cda1310dd8e9699ce5ceda794a9",
"path_pattern_hash": "9665a326f7d8f70f1661dab78807b951"
},
"target_context": {
"dst_port": 1962,
"service": "opcua",
"service_name": "opcua",
"risk_score": 35
},
"payload_preview": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0000x\ufffd\u0000\u0003\u0000\fIBETH01N0_M\u0000",
"request_sample": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0000x\ufffd\u0000\u0003\u0000\fIBETH01N0_M\u0000",
"payload_snippet": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0000x\ufffd\u0000\u0003\u0000\fIBETH01N0_M\u0000",
"evidence": {
"request_sample": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0000x\ufffd\u0000\u0003\u0000\fIBETH01N0_M\u0000",
"payload_snippet": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0000x\ufffd\u0000\u0003\u0000\fIBETH01N0_M\u0000",
"classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fef08f15d85830efa6e598a79fc7f71c33ec6ec7",
"protocol_details": {
"payload_preview": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0000x\ufffd\u0000\u0003\u0000\fIBETH01N0_M\u0000",
"port": 1962,
"service": "opcua",
"service_label_fr": "OPCUA"
},
"evidence_snippet": "x\ufffdIBETH01N0_M",
"attack_vector": "opcua probe \u00b7 via OPCUA:1962 \u00b7 (sonde \/ probe)",
"target_port_label": "1962 \u00b7 OPCUA",
"emulator_service": "opcua",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "opcua",
"service_label_fr": "OPCUA",
"dst_port": 1962,
"protocol_emulated": true,
"tags_summary": [
"pat-0577"
],
"tags_summary_labels_fr": [
"pat-0577"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-opcua",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0000x\ufffd\u0000\u0003\u0000\fIBETH01N0_M\u0000",
"port": 1962,
"service": "opcua",
"service_label_fr": "OPCUA"
},
"attack_vector": "opcua probe \u00b7 via OPCUA:1962 \u00b7 (sonde \/ probe)",
"evidence_snippet": "x\ufffdIBETH01N0_M",
"target_port_label": "1962 \u00b7 OPCUA",
"emulator_service": "opcua",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "opcua",
"service_banner": "honeypot-opcua",
"service_os": "linux",
"dst_port": "1962"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_opcua_probe",
"opcua_emulated",
"opcua_payload"
]
}
|
|
|
TCP |
83 · HTTP
|
http
|
Tentative d'exploit
exploit attempt · via HTTP:83 · (tentative d'exploit)
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
83
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 46
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/23.7.0.2534 Yowser/2.5 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:83
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:83 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/23.7.0.2534 Yowser/2.5 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "716324c417916203c790f98e099ae6e192f53242",
"http_host_hash": "694048aafc409256f88bc22a99ef68d4a126a60b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 233,
"payload_entropy": 5.412182832275025,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 83,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e79c3b9f0e171e5742032cee6fda57ed4e33ba10",
"event_fingerprint": "3e93ac27e27b651526bf414bb288df0a0f93c160",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "1d6b36839b4adf1b86c5d9341d6b52e9",
"payload_hash": "3f079b3c84a2368a03badfd7f272a7e8",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 83,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b071432e9613416bef88ba93b90c207c2841b520",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534\u2026",
"port": 83,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"attack_vector": "exploit attempt \u00b7 via HTTP:83 \u00b7 (tentative d'exploit)",
"target_port_label": "83 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 83,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534\u2026",
"port": 83,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:83 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"target_port_label": "83 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "83"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
12443 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:12443 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
12443
Chemin / cible
—
Service
TLS
Payload
����{���w���S+�x�K�J�Pq���?�O��5Bt�P���4A������/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w���S+�x�K�J�Pq���?�O��5Bt�P���4A������/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.776028980465638,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 12443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "1f6ba67d027b9c1d3f7bc207c9b1ae8a07371fa7",
"event_fingerprint": "36c198dcd21a6679ffec5b0bc88d8a1177acd701",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "021bea92841bda0ac0bc82f6b8eee04e",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 12443,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdS+\ufffdx\ufffdK\ufffdJ\ufffdPq\ufffd\ufffd\u0004?\ufffdO\ufffd\ufffd5Bt\ufffdP\ufffd\u0007\u00004A\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdS+\ufffdx\ufffdK\ufffdJ\ufffdPq\ufffd\ufffd\u0004?\ufffdO\ufffd\ufffd5Bt\ufffdP\ufffd\u0007\u00004A\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdS+\ufffdx\ufffdK\ufffdJ\ufffdPq\ufffd\ufffd\u0004?\ufffdO\ufffd\ufffd5Bt\ufffdP\ufffd\u0007\u00004A\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3542c2389f50d738f1cd6b0e5cdac97a56514ead",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdS+\ufffdx\ufffdK\ufffdJ\ufffdPq\ufffd\ufffd\u0004?\ufffdO\ufffd\ufffd5Bt\ufffdP\ufffd\u0007\u00004A\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 12443,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "{w\ufffdS+\ufffdx\ufffdK\ufffdJ\ufffdPq\ufffd\ufffd?\ufffdO\ufffd\ufffd5Bt\ufffdP\ufffd4A\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:12443 \u00b7 (sonde \/ probe)",
"target_port_label": "12443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 12443,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffdS+\ufffdx\ufffdK\ufffdJ\ufffdPq\ufffd\ufffd\u0004?\ufffdO\ufffd\ufffd5Bt\ufffdP\ufffd\u0007\u00004A\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 12443,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:12443 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{w\ufffdS+\ufffdx\ufffdK\ufffdJ\ufffdPq\ufffd\ufffd?\ufffdO\ufffd\ufffd5Bt\ufffdP\ufffd4A\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "12443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "12443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
20020 · HTTP
|
http
|
Tentative d'exploit
exploit attempt · via HTTP:20020 · (tentative d'exploit)
|
Élevée
|
Moyen · 47
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20020
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 47
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:20020
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:20020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "539ecdad151c9c9dc71f317e9e2fbae4aee81334",
"http_host_hash": "7c910635ebdd2ec7a02b91e4a18506786608faa0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 203,
"payload_entropy": 5.3720772847909215,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 20020,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 47,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "5499ff8e00257e51ca6ae101648d99dfeec1e7ee",
"event_fingerprint": "5174ed0b0b3270d60847d066caeccc9e259c3941",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "df9c14bed57e6bde007625ceaa20e44f",
"payload_hash": "7ac070801c37409eb1715246a4eb4893",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 20020,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c3aa4d925d56dd976616f9fada2aa8df64ee74b9",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36",
"port": 20020,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"attack_vector": "exploit attempt \u00b7 via HTTP:20020 \u00b7 (tentative d'exploit)",
"target_port_label": "20020 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 20020,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36",
"port": 20020,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:20020 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"target_port_label": "20020 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "20020"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
11453 · HTTP
|
http
|
Tentative d'exploit
exploit attempt · via HTTP:11453 · (tentative d'exploit)
|
Élevée
|
Moyen · 45
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; rv:110.0) Gecko/20100101 Firefox/…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
11453
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 45
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; rv:110.0) Gecko/20100101 Firefox/110.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:11453
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:110.0) Gecko/20100101 Firefox/110.0
Accept
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:11453 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:110.0) Gecko/20100101 Firefox/110.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "251a175d2d76af2b4463104d533bae7fdd9d7c89",
"http_host_hash": "3ab9146a8be781e88befb03410628933414eaa92",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 160,
"payload_entropy": 5.123390341489438,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 11453,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8fb8362585ded217975079df361c9bc83ed5f0ba",
"event_fingerprint": "a28b01b1ee3e7c2c7dd41b62ed37c9d2bf288e02",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "900e650d7d6e09afb5f2f4fa8b7dc1fa",
"payload_hash": "751ddc0b10cc3f5be2530fcdf734a5f1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 11453,
"service": "http",
"service_name": "http",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0\r\nAccept",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0\r\nAccept",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0\r\nAccept",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8cda892157567180be81669d4d35969fade46fc2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0",
"port": 11453,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0\r\nAccept",
"attack_vector": "exploit attempt \u00b7 via HTTP:11453 \u00b7 (tentative d'exploit)",
"target_port_label": "11453 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 11453,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0",
"port": 11453,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:11453 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11453\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:110.0) Gecko\/20100101 Firefox\/110.0\r\nAccept",
"target_port_label": "11453 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "11453"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
500 · HTTP
|
http
|
SSRF interne
ssrf internal · via HTTP:500 · (tentative d'exploit)
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
500
Chemin / cible
/
Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54%
Confiance classification
54%
Risque capteur
Moyen
· 46
Confiance : Confiance 54 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
CRS-920350
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.50
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.50 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "2c4ecd7a2ef5387fbf9ac3f62cdd576556faa53e",
"http_host_hash": "bdf99e699f1c4e2e2695d8cdc97bc098e338cd8b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 219,
"payload_entropy": 5.345400429127993,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 500,
"risk_waf": 72,
"risk_classification": 80,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8cb872b3bb25dd170b8db53758b2f81922d0046a",
"event_fingerprint": "0efaed1a9aaf775c7e37bec5d27fd391123275f3",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"confidence": 0.54,
"classification_confidence": 0.54,
"precision_score": 64,
"precision_signals": [
"CRS-920350"
],
"kb_rule_ids": [
"CRS-920350"
],
"matched_patterns": [
"pat-0324"
],
"matched_pattern_names": [
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46
},
"named_classification_skipped": false,
"classification_parent": "ssrf_attack",
"service_name": "http",
"risk_confidence_factor": 54,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "594907ec90454a1b31b771079e6ce7a5",
"payload_hash": "f2f5d3cd269f8ecc50e3dff3c2a78052",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 500,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.50",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.50\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.50",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110.0.1587.50\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "58004fe7df3ea031649373f3572fedaa95200a8c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110\u2026",
"port": 500,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"attack_vector": "ssrf internal \u00b7 via HTTP:500 \u00b7 (tentative d'exploit)",
"target_port_label": "500 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 54 % \u2014 via HTTP",
"confidence_pct": 54,
"confidence_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 500,
"protocol_emulated": null,
"tags_summary": [
"CRS-920350"
],
"tags_summary_labels_fr": [
"CRS-920350"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36 Edg\/110\u2026",
"port": 500,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "ssrf internal \u00b7 via HTTP:500 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"target_port_label": "500 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 54 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "500"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
9642 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:9642 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9642
Chemin / cible
—
Service
TLS
Payload
����{���w��N �A� �װ�=�� �a�����u��4�y��vyg����/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��N �A�
�װ�=����a�����u��4�y��vyg����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.7734120029331635,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 9642,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "dbdd9704a0fcb9f5b3aa66cb9fc1dee4803dc208",
"event_fingerprint": "6e13a12df03aba0e14d85319f8a2e74e95feab69",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "244b17aebd2456a5d0bd877eb74c2fad",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9642,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003N\t\u0016A\ufffd\r\u000e\u05f0\u0019=\ufffd\ufffd\u000b\u001aa\ufffd\ufffd\ufffd\u0011\ufffdu\ufffd\ufffd4\ufffdy\ufffd\u0014vyg\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003N\t\u0016A\ufffd\r\u000e\u05f0\u0019=\ufffd\ufffd\u000b\u001aa\ufffd\ufffd\ufffd\u0011\ufffdu\ufffd\ufffd4\ufffdy\ufffd\u0014vyg\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003N\t\u0016A\ufffd\r\u000e\u05f0\u0019=\ufffd\ufffd\u000b\u001aa\ufffd\ufffd\ufffd\u0011\ufffdu\ufffd\ufffd4\ufffdy\ufffd\u0014vyg\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "da291fadcb0dedeeb280288d1c07886cbb130fc3",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003N\t\u0016A\ufffd\r\u000e\u05f0\u0019=\ufffd\ufffd\u000b\u001aa\ufffd\ufffd\ufffd\u0011\ufffdu\ufffd\ufffd4\ufffdy\ufffd\u0014vyg\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 9642,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "{wN\tA\ufffd\r\u05f0=\ufffd\ufffda\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd4\ufffdy\ufffdvyg\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:9642 \u00b7 (sonde \/ probe)",
"target_port_label": "9642 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9642,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003N\t\u0016A\ufffd\r\u000e\u05f0\u0019=\ufffd\ufffd\u000b\u001aa\ufffd\ufffd\ufffd\u0011\ufffdu\ufffd\ufffd4\ufffdy\ufffd\u0014vyg\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 9642,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:9642 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{wN\tA\ufffd\r\u05f0=\ufffd\ufffda\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd4\ufffdy\ufffdvyg\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "9642 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9642"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
9001 · TOR OR
|
tor-or
|
tor exit probe
tor exit probe · via TOR OR:9001 · (commande & contrôle)
|
Élevée
|
Moyen · 43
|
|
Étape
Commande & contrôle
Chaîne
Commande & contrôle
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0011
TA0011
Protocole
Émulateur
TOR-OR
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
net_tor_probe
tor_exit_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9001
Chemin / cible
—
Service
TOR OR
Payload
GET / HTTP/1.1 Host: 62.3.50.33:9001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/11
Pourquoi cette classification : Type « tor_exit_probe » (signaux protocolaires) · confiance 46%
Confiance classification
46%
Confiance modérée — signal unique
Risque capteur
Moyen
· 43
Confiance : Confiance 46 % — 6 signal(aux) capteur
Protocole émulé
1
Signaux
Tor Exit Hint
Technique MITRE
TA0011
Tactiques MITRE
TA0011
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/11
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "030000000000000000",
"emulator_response_len": 9,
"bytes_in": 171,
"payload_entropy": 5.18867489163437,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tor-or",
"app_proto": "tor-or",
"asn": 6939,
"country": "US",
"dst_port": 9001,
"risk_waf": 8,
"risk_classification": 62,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 43,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "d967b0275d13a566643f776c2f2ca13b50a86244",
"event_fingerprint": "2bc74a66a243c40126697f519e65200a159d147e",
"classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%",
"confidence": 0.46,
"classification_confidence": 0.46,
"precision_score": 55,
"precision_signals": [
"INT-TOR-exit-hint"
],
"kb_rule_ids": [
"INT-TOR-exit-hint"
],
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 43
},
"named_classification_skipped": false,
"service_name": "tor-or",
"risk_confidence_factor": 46,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "226aef12529896cb0b89be6f1a652140",
"path_pattern_hash": "d2d40d620e587c49ef0af866b893b1d5"
},
"target_context": {
"dst_port": 9001,
"service": "tor-or",
"service_name": "tor-or",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/11",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/111.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/11",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/111.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/11",
"classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%"
},
"attack_stage": "c2",
"mitre_tactics": [
"TA0011"
],
"mitre": "TA0011",
"threat_family": [
"botnet"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cea0dad9ab1a43a78099d9e188d0b8109333954b",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/11",
"port": 9001,
"service": "tor-or",
"service_label_fr": "TOR OR"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/11",
"attack_vector": "tor exit probe \u00b7 via TOR OR:9001 \u00b7 (commande & contr\u00f4le)",
"target_port_label": "9001 \u00b7 TOR OR",
"emulator_service": "tor-or",
"confidence_reason": "Confiance 46 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%",
"classification_reason_label_fr": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0011 \u2014 confiance 46 % \u2014 via TOR OR",
"confidence_pct": 46,
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 43
},
"attack_stage": "c2",
"attack_stage_label": "Commande & contr\u00f4le",
"attack_chain_stage": "command_and_control",
"attack_chain_stage_label_fr": "Commande & contr\u00f4le",
"risk_score": 43,
"risk_label": "Moyen",
"service_name": "tor-or",
"service_label_fr": "TOR OR",
"dst_port": 9001,
"protocol_emulated": true,
"tags_summary": [
"INT-TOR-exit-hint"
],
"tags_summary_labels_fr": [
"Tor Exit Hint"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0011",
"mitre_technique": "TA0011",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tor-or",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/11",
"port": 9001,
"service": "tor-or",
"service_label_fr": "TOR OR"
},
"attack_vector": "tor exit probe \u00b7 via TOR OR:9001 \u00b7 (commande & contr\u00f4le)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/11",
"target_port_label": "9001 \u00b7 TOR OR",
"emulator_service": "tor-or",
"confidence_reason": "Confiance 46 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 46 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": true,
"kind": "stage"
},
{
"key": "command_and_control",
"label_fr": "Commande & contr\u00f4le",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tor_or",
"service_banner": "honeypot-tor-or",
"service_os": "linux",
"dst_port": "9001"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "command_and_control",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_tor_probe",
"tor_exit_probe",
"tor_or_emulated",
"tor_or_payload"
]
}
|
|
|
TCP |
25 · SMTP
|
smtp
|
Sonde port 25/TCP
port 25 tcp · via SMTP:25 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMTP
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
net_smtp_probe
smtp_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
25
Chemin / cible
—
Preuve honeypot — Sonde port 25/TCP
Connexion détectée sur le port 25 (TCP) du capteur simulé.
Service
SMTP
Payload
GET / HTTP/1.1 Host: 62.3.50.33:25 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.
Pourquoi cette classification : Type « port_25_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Moyen
· 45
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:25 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "323230206d61696c2e6578616d706c652e636f6d2045534d545020506f737466697820285562756e7475290d0a35303220352e352e32204572726f723a20636f6d6d616e64206e6f74207265636f676e697a65640d0a",
"emulator_response_len": 86,
"bytes_in": 169,
"payload_entropy": 5.221187899268451,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "smtp",
"app_proto": "smtp",
"asn": 6939,
"country": "US",
"dst_port": 25,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d5ebffd5a0db198c02921a042247c577fc406d08",
"event_fingerprint": "3d09fc52d69030bda96b86438d4460cfb5a981fd",
"classification_reason": "Type \u00ab port_25_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": true,
"named_candidate": "smtp_probe",
"service_name": "smtp",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6ea87f53ee4a1f80a70ecd9321609524",
"path_pattern_hash": "b092d319b1811e4f4d12f749391d1fc5"
},
"target_context": {
"dst_port": 25,
"service": "smtp",
"service_name": "smtp",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.",
"classification_reason": "Type \u00ab port_25_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "824aeac9b02185531d877ca3aef5ce29c2961924",
"protocol_details": {
"smtp_auth_fr": "Sonde protocole SMTP",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.",
"port": 25,
"service": "smtp",
"service_label_fr": "SMTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.",
"attack_vector": "port 25 tcp \u00b7 via SMTP:25 \u00b7 (sonde \/ probe)",
"target_port_label": "25 \u00b7 SMTP",
"emulator_service": "smtp",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_25_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_25_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "smtp",
"service_label_fr": "SMTP",
"dst_port": 25,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "Postfix ESMTP",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"smtp_auth_fr": "Sonde protocole SMTP",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.",
"port": 25,
"service": "smtp",
"service_label_fr": "SMTP"
},
"attack_vector": "port 25 tcp \u00b7 via SMTP:25 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.",
"target_port_label": "25 \u00b7 SMTP",
"emulator_service": "smtp",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mail",
"service_banner": "Postfix ESMTP",
"service_os": "linux",
"dst_port": "25"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_smtp_probe",
"smtp_emulated"
]
}
|
|
|
TCP |
873 · RSYNC
|
rsync
|
rsync probe
rsync probe · via RSYNC:873 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
RSYNC
WAF
—
Recommandation
Surveiller
Tags
net_rsync_probe
redis_rdb_sync
rsync_emulated
rsync_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
873
Chemin / cible
—
Service
RSYNC
Payload
@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4
Pourquoi cette classification : Type « rsync_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 5 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "405253594e43443a2033312e3020686f6e6579706f74207273796e630a405253594e43443a2033312e3020686f6e6579706f74206d6f64756c65730a",
"emulator_response_len": 60,
"bytes_in": 42,
"payload_entropy": 4.266502839084849,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "rsync",
"app_proto": "rsync",
"asn": 6939,
"country": "US",
"dst_port": 873,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10
},
"risk_score": 34,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "ba612222d4768e5f58a1607ac2d9d2511f5239d7",
"event_fingerprint": "b8e7f2d6a44abcd0eaea4d28adc634b3cbaedb93",
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "rsync",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "befa1ea090df7b8f9bbcc964bdc5d1fc",
"path_pattern_hash": "fa887033768ad7efd3289b383db625e0"
},
"target_context": {
"dst_port": 873,
"service": "rsync",
"service_name": "rsync",
"risk_score": 34
},
"payload_preview": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4\n\n",
"request_sample": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4\n\n",
"payload_snippet": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4",
"evidence": {
"request_sample": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4\n\n",
"payload_snippet": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4",
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "453ddc6e7d181de518b648ee2f4dc71234952e1d",
"protocol_details": {
"payload_preview": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4",
"port": 873,
"service": "rsync",
"service_label_fr": "RSYNC"
},
"evidence_snippet": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4",
"attack_vector": "rsync probe \u00b7 via RSYNC:873 \u00b7 (sonde \/ probe)",
"target_port_label": "873 \u00b7 RSYNC",
"emulator_service": "rsync",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "rsync",
"service_label_fr": "RSYNC",
"dst_port": 873,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-rsync",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4",
"port": 873,
"service": "rsync",
"service_label_fr": "RSYNC"
},
"attack_vector": "rsync probe \u00b7 via RSYNC:873 \u00b7 (sonde \/ probe)",
"evidence_snippet": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4",
"target_port_label": "873 \u00b7 RSYNC",
"emulator_service": "rsync",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rsync",
"service_banner": "honeypot-rsync",
"service_os": "linux",
"dst_port": "873"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_rsync_probe",
"redis_rdb_sync",
"rsync_emulated",
"rsync_payload",
"rsync_probe"
]
}
|
|
|
TCP |
873 · RSYNC
|
rsync
|
rsync probe
rsync probe · via RSYNC:873 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
RSYNC
WAF
—
Recommandation
Surveiller
Tags
net_rsync_probe
redis_rdb_sync
rsync_emulated
rsync_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
873
Chemin / cible
—
Service
RSYNC
Payload
@RSYNCD: 31.0
Pourquoi cette classification : Type « rsync_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 5 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
@RSYNCD: 31.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "405253594e43443a2033312e3020686f6e6579706f74207273796e630a405253594e43443a2033312e3020686f6e6579706f74206d6f64756c65730a",
"emulator_response_len": 60,
"bytes_in": 14,
"payload_entropy": 3.8073549220576055,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "rsync",
"app_proto": "rsync",
"asn": 6939,
"country": "US",
"dst_port": 873,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10
},
"risk_score": 34,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "ba612222d4768e5f58a1607ac2d9d2511f5239d7",
"event_fingerprint": "b8e7f2d6a44abcd0eaea4d28adc634b3cbaedb93",
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "rsync",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dbc456a2cc47132c0c860fefa9f3bb45",
"path_pattern_hash": "fa887033768ad7efd3289b383db625e0"
},
"target_context": {
"dst_port": 873,
"service": "rsync",
"service_name": "rsync",
"risk_score": 34
},
"payload_preview": "@RSYNCD: 31.0\n",
"request_sample": "@RSYNCD: 31.0\n",
"payload_snippet": "@RSYNCD: 31.0",
"evidence": {
"request_sample": "@RSYNCD: 31.0\n",
"payload_snippet": "@RSYNCD: 31.0",
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "49b140b333d7baffc0ce5763af9e519a3c86d50c",
"protocol_details": {
"payload_preview": "@RSYNCD: 31.0",
"port": 873,
"service": "rsync",
"service_label_fr": "RSYNC"
},
"evidence_snippet": "@RSYNCD: 31.0",
"attack_vector": "rsync probe \u00b7 via RSYNC:873 \u00b7 (sonde \/ probe)",
"target_port_label": "873 \u00b7 RSYNC",
"emulator_service": "rsync",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "rsync",
"service_label_fr": "RSYNC",
"dst_port": 873,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-rsync",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "@RSYNCD: 31.0",
"port": 873,
"service": "rsync",
"service_label_fr": "RSYNC"
},
"attack_vector": "rsync probe \u00b7 via RSYNC:873 \u00b7 (sonde \/ probe)",
"evidence_snippet": "@RSYNCD: 31.0",
"target_port_label": "873 \u00b7 RSYNC",
"emulator_service": "rsync",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rsync",
"service_banner": "honeypot-rsync",
"service_os": "linux",
"dst_port": "873"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_rsync_probe",
"redis_rdb_sync",
"rsync_emulated",
"rsync_payload",
"rsync_probe"
]
}
|
|
|
TCP |
5903 · VNC 3
|
vnc-3
|
Sonde port 5903/TCP
port 5903 tcp · via VNC 3:5903 · (sonde / probe)
|
Élevée
|
Moyen · 41
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
VNC-3
WAF
—
Recommandation
Surveiller
Tags
net_vnc_probe
vnc_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5903
Chemin / cible
—
Preuve honeypot — Sonde port 5903/TCP
Connexion détectée sur le port 5903 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_5903_tcp » (signaux protocolaires) · confiance 69%
Confiance classification
69%
Risque capteur
Moyen
· 41
Confiance : Confiance 69 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
Tcp Vnc Auth
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "524642203030332e3030380a",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "vnc-3",
"app_proto": "vnc-3",
"asn": 6939,
"country": "US",
"dst_port": 5903,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 41,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "8f34496d5166832fc6cac5aaedc6543fb4342b9b",
"event_fingerprint": "a8d3fed671438e2c65c81445e5e14021e47b4e84",
"classification_reason": "Type \u00ab port_5903_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 82,
"precision_signals": [
"INT-tcp-vnc-auth"
],
"kb_rule_ids": [
"INT-tcp-vnc-auth"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"named_classification_skipped": true,
"named_candidate": "vnc_bruteforce",
"service_name": "vnc-3",
"risk_confidence_factor": 69,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "e12eeafa5ebc622db8927e7dea35233f"
},
"target_context": {
"dst_port": 5903,
"service": "vnc-3",
"service_name": "vnc-3",
"risk_score": 41
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "79a81809fd3a865777844fd4fc1d993788e14dc5",
"protocol_details": {
"port": 5903,
"service": "vnc-3",
"service_label_fr": "VNC 3"
},
"attack_vector": "port 5903 tcp \u00b7 via VNC 3:5903 \u00b7 (sonde \/ probe)",
"target_port_label": "5903 \u00b7 VNC 3",
"emulator_service": "vnc-3",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_5903_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"classification_reason_label_fr": "Type \u00ab port_5903_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 41,
"risk_label": "Moyen",
"service_name": "vnc-3",
"service_label_fr": "VNC 3",
"dst_port": 5903,
"protocol_emulated": true,
"tags_summary": [
"INT-tcp-vnc-auth"
],
"tags_summary_labels_fr": [
"Tcp Vnc Auth"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-vnc-3",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 5903,
"service": "vnc-3",
"service_label_fr": "VNC 3"
},
"attack_vector": "port 5903 tcp \u00b7 via VNC 3:5903 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "5903 \u00b7 VNC 3",
"emulator_service": "vnc-3",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "vnc_3",
"service_banner": "honeypot-vnc-3",
"service_os": "linux",
"dst_port": "5903"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_vnc_probe",
"vnc_emulated"
]
}
|
|
|
TCP |
5555 · PERSONAL AGENT
|
personal-agent
|
Agent personnel
personal-agent · via PERSONAL AGENT:5555 · (sonde / probe)
|
Faible
|
Faible · 4
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
PERSONAL-AGENT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5555
Chemin / cible
—
Service
PERSONAL AGENT
Payload
CNXN������������2�������host::�
Pourquoi cette classification : Type « personal-agent » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Faible
· 4
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
CNXN������������2�������host::
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f7420706572736f6e616c5f6167656e7420726561647920706f72743d353535350d0a",
"emulator_response_len": 45,
"bytes_in": 31,
"payload_entropy": 3.3729205036561045,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "personal-agent",
"app_proto": "personal-agent",
"asn": 6939,
"country": "US",
"dst_port": 5555,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 4,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "888a6b39853f357075a34073a4e945bdda29b414",
"event_fingerprint": "d93c6d08fd760998a271a8a23a13788b18b2adca",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab personal-agent \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 4,
"correlation_boost": 8
},
"service_name": "personal-agent",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2ab0510cc4156c41c24112bc2a720db2",
"path_pattern_hash": "e3da19b853113b154539c506fed9fe37"
},
"target_context": {
"dst_port": 5555,
"service": "personal-agent",
"service_name": "personal-agent",
"risk_score": 4
},
"payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000",
"request_sample": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000",
"payload_snippet": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000",
"evidence": {
"request_sample": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000",
"payload_snippet": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000",
"classification_reason": "Type \u00ab personal-agent \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5c62c6d08dd6be177590e772dc547ceb479b8747",
"protocol_details": {
"payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000",
"port": 5555,
"service": "personal-agent",
"service_label_fr": "PERSONAL AGENT"
},
"evidence_snippet": "CNXN2\ufffd\ufffd\ufffd\ufffdhost::",
"attack_vector": "personal-agent \u00b7 via PERSONAL AGENT:5555 \u00b7 (sonde \/ probe)",
"target_port_label": "5555 \u00b7 PERSONAL AGENT",
"emulator_service": "personal-agent",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab personal-agent \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab personal-agent \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 4,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 4,
"risk_label": "Faible",
"service_name": "personal-agent",
"service_label_fr": "PERSONAL AGENT",
"dst_port": 5555,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-personal-agent",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000",
"port": 5555,
"service": "personal-agent",
"service_label_fr": "PERSONAL AGENT"
},
"attack_vector": "personal-agent \u00b7 via PERSONAL AGENT:5555 \u00b7 (sonde \/ probe)",
"evidence_snippet": "CNXN2\ufffd\ufffd\ufffd\ufffdhost::",
"target_port_label": "5555 \u00b7 PERSONAL AGENT",
"emulator_service": "personal-agent",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "personal_agent",
"service_banner": "honeypot-personal-agent",
"service_os": "linux",
"dst_port": "5555"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"personal-agent",
"port:5904"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
5904
|
—
|
Sonde port
Sonde port · port 5904 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5904
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": null,
"app_proto": null,
"asn": 6939,
"country": "US",
"dst_port": 5904,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "d7b2d085cd7e3037da0863a0f0bea640be847d73",
"event_fingerprint": "f2d401100e184d785b7334b55a9002f0181a0d01",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 5904,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c0c8c4a3463cf1150ea409f8a18964430ab1f18e",
"protocol_details": {
"port": 5904
},
"attack_vector": "Sonde port \u00b7 port 5904 \u00b7 (sonde \/ probe)",
"target_port_label": "5904",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 5904,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 5904
},
"attack_vector": "Sonde port \u00b7 port 5904 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "5904",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "5904"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9999 · ADMIN ALT
|
admin-alt
|
admin-alt
admin-alt · via ADMIN ALT:9999 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
ADMIN-ALT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9999
Chemin / cible
—
Pourquoi cette classification : Type « admin-alt » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "admin-alt",
"app_proto": "admin-alt",
"asn": 6939,
"country": "US",
"dst_port": 9999,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "206c95a9eb725a1fc21f04db3e4cf4233b894a69",
"event_fingerprint": "bdae3a5e708dccdbe307a2861747dd09885f206a",
"classification_reason": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "admin-alt",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "d3aaa0a3d94e4e5a70802f7b7e17f9f7"
},
"target_context": {
"dst_port": 9999,
"service": "admin-alt",
"service_name": "admin-alt",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3ce048627091cf43bcf12b483a4838949c5be7f0",
"protocol_details": {
"port": 9999,
"service": "admin-alt",
"service_label_fr": "ADMIN ALT"
},
"attack_vector": "admin-alt \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)",
"target_port_label": "9999 \u00b7 ADMIN ALT",
"emulator_service": "admin-alt",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "admin-alt",
"service_label_fr": "ADMIN ALT",
"dst_port": 9999,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-admin-alt",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 9999,
"service": "admin-alt",
"service_label_fr": "ADMIN ALT"
},
"attack_vector": "admin-alt \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9999 \u00b7 ADMIN ALT",
"emulator_service": "admin-alt",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "admin_alt",
"service_banner": "honeypot-admin-alt",
"service_os": "linux",
"dst_port": "9999"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
8030 · HTTP ALT 8030
|
http-alt-8030
|
Sonde PostgreSQL
postgres probe · via HTTP ALT 8030:8030 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
HTTP-ALT-8030
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8030
Chemin / cible
—
Service
HTTP ALT 8030
Payload
����{���w�����c�(�BQ�y�ea �2�=�ǃc��6�e$~�u����/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w�����c�(�BQ�y�ea
�2�=�ǃc��6�e$~�u����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 128,
"payload_entropy": 4.8364192807946536,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http-alt-8030",
"app_proto": "http-alt-8030",
"asn": 6939,
"country": "US",
"dst_port": 8030,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 0.5,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "785e9f4c443992e001abf05b17bc0c6d943dec2d",
"event_fingerprint": "d518b829c20062df6be80770ff73e9c18b99bdb9",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "http-alt-8030",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7e25ada0dce753580da47a466af81d0b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8030,
"service": "http-alt-8030",
"service_name": "http-alt-8030",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0015\ufffdc\ufffd(\ufffdBQ\ufffdy\ufffdea\n\ufffd2\ufffd=\ufffd\u01c3c\ufffd\ufffd6\ufffde$~\ufffdu\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0015\ufffdc\ufffd(\ufffdBQ\ufffdy\ufffdea\n\ufffd2\ufffd=\ufffd\u01c3c\ufffd\ufffd6\ufffde$~\ufffdu\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0015\ufffdc\ufffd(\ufffdBQ\ufffdy\ufffdea\n\ufffd2\ufffd=\ufffd\u01c3c\ufffd\ufffd6\ufffde$~\ufffdu\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "53de15e3699fe59c86c3926d7382e0b7f4b57c86",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0015\ufffdc\ufffd(\ufffdBQ\ufffdy\ufffdea\n\ufffd2\ufffd=\ufffd\u01c3c\ufffd\ufffd6\ufffde$~\ufffdu\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 8030,
"service": "http-alt-8030",
"service_label_fr": "HTTP ALT 8030"
},
"evidence_snippet": "{w\ufffd\ufffdc\ufffd(\ufffdBQ\ufffdy\ufffdea\n\ufffd2\ufffd=\ufffd\u01c3c\ufffd\ufffd6\ufffde$~\ufffdu\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8030:8030 \u00b7 (sonde \/ probe)",
"target_port_label": "8030 \u00b7 HTTP ALT 8030",
"emulator_service": "http-alt-8030",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8030",
"service_label_fr": "HTTP ALT 8030",
"dst_port": 8030,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8030",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0015\ufffdc\ufffd(\ufffdBQ\ufffdy\ufffdea\n\ufffd2\ufffd=\ufffd\u01c3c\ufffd\ufffd6\ufffde$~\ufffdu\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 8030,
"service": "http-alt-8030",
"service_label_fr": "HTTP ALT 8030"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8030:8030 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{w\ufffd\ufffdc\ufffd(\ufffdBQ\ufffdy\ufffdea\n\ufffd2\ufffd=\ufffd\u01c3c\ufffd\ufffd6\ufffde$~\ufffdu\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "8030 \u00b7 HTTP ALT 8030",
"emulator_service": "http-alt-8030",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8030",
"service_banner": "honeypot-http-alt-8030",
"service_os": "linux",
"dst_port": "8030"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
25 · SMTP
|
smtp
|
Sonde port 25/TCP
port 25 tcp · via SMTP:25 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMTP
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
net_smtp_probe
smtp_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
25
Chemin / cible
—
Preuve honeypot — Sonde port 25/TCP
Connexion détectée sur le port 25 (TCP) du capteur simulé.
Service
SMTP
Payload
GET / HTTP/1.1 Host: 62.3.50.33:25 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko
Pourquoi cette classification : Type « port_25_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Moyen
· 45
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:25 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "323230206d61696c2e6578616d706c652e636f6d2045534d545020506f737466697820285562756e7475290d0a35303220352e352e32204572726f723a20636f6d6d616e64206e6f74207265636f676e697a65640d0a",
"emulator_response_len": 86,
"bytes_in": 200,
"payload_entropy": 5.379763895505548,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "smtp",
"app_proto": "smtp",
"asn": 6939,
"country": "US",
"dst_port": 25,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d5ebffd5a0db198c02921a042247c577fc406d08",
"event_fingerprint": "3d09fc52d69030bda96b86438d4460cfb5a981fd",
"classification_reason": "Type \u00ab port_25_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": true,
"named_candidate": "smtp_probe",
"service_name": "smtp",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9d278790f34aa36f5220c4352bb441ee",
"path_pattern_hash": "b092d319b1811e4f4d12f749391d1fc5"
},
"target_context": {
"dst_port": 25,
"service": "smtp",
"service_name": "smtp",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/113.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"classification_reason": "Type \u00ab port_25_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8b2db606db055c3909ffa03589fc8728d10ff4a2",
"protocol_details": {
"smtp_auth_fr": "Sonde protocole SMTP",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"port": 25,
"service": "smtp",
"service_label_fr": "SMTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"attack_vector": "port 25 tcp \u00b7 via SMTP:25 \u00b7 (sonde \/ probe)",
"target_port_label": "25 \u00b7 SMTP",
"emulator_service": "smtp",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_25_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_25_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 55,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "smtp",
"service_label_fr": "SMTP",
"dst_port": 25,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "Postfix ESMTP",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"smtp_auth_fr": "Sonde protocole SMTP",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"port": 25,
"service": "smtp",
"service_label_fr": "SMTP"
},
"attack_vector": "port 25 tcp \u00b7 via SMTP:25 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:25\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"target_port_label": "25 \u00b7 SMTP",
"emulator_service": "smtp",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mail",
"service_banner": "Postfix ESMTP",
"service_os": "linux",
"dst_port": "25"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_smtp_probe",
"smtp_emulated"
]
}
|
|
|
TCP |
5443 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:5443 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 cba7f34191ef2379
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5443
Chemin / cible
—
Service
TLS
Payload
����{���w��E�o'� i���]���x��L�C�{�l�ڼ#Z @�����/�+������� ��� ���/�5��� ���4���������� ����������� ����� �����������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��E�o'� i���]���x��L�C�{�l�ڼ#Z @�����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.898412002933164,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"dst_port": 5443,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "38f4503bf18c3e5e5b8d3cb7e422a4dd8bfca84f",
"event_fingerprint": "3a8cd985a505433b936eaf5ee1545792f66b62d8",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "9ad684d315736f5572bf62ec8e9e2a82",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e",
"tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 13,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 5443,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\ufffdo'\ufffd\ti\ufffd\ufffd\ufffd]\u001b\ufffd\ufffdx\ufffd\ufffdL\ufffdC\ufffd{\ufffdl\ufffd\u06bc#Z @\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\ufffdo'\ufffd\ti\ufffd\ufffd\ufffd]\u001b\ufffd\ufffdx\ufffd\ufffdL\ufffdC\ufffd{\ufffdl\ufffd\u06bc#Z @\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\ufffdo'\ufffd\ti\ufffd\ufffd\ufffd]\u001b\ufffd\ufffdx\ufffd\ufffdL\ufffdC\ufffd{\ufffdl\ufffd\u06bc#Z @\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6325c3eae9fdd9444c3d35ca2a752b56acf98754",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\ufffdo'\ufffd\ti\ufffd\ufffd\ufffd]\u001b\ufffd\ufffdx\ufffd\ufffdL\ufffdC\ufffd{\ufffdl\ufffd\u06bc#Z @\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 5443,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "{wE\ufffdo'\ufffd\ti\ufffd\ufffd\ufffd]\ufffd\ufffdx\ufffd\ufffdL\ufffdC\ufffd{\ufffdl\ufffd\u06bc#Z @\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:5443 \u00b7 (sonde \/ probe)",
"target_port_label": "5443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 5443,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003E\ufffdo'\ufffd\ti\ufffd\ufffd\ufffd]\u001b\ufffd\ufffdx\ufffd\ufffdL\ufffdC\ufffd{\ufffdl\ufffd\u06bc#Z @\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e",
"port": 5443,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:5443 \u00b7 (sonde \/ probe)",
"evidence_snippet": "{wE\ufffdo'\ufffd\ti\ufffd\ufffd\ufffd]\ufffd\ufffdx\ufffd\ufffdL\ufffdC\ufffd{\ufffdl\ufffd\u06bc#Z @\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd",
"target_port_label": "5443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
6161
|
—
|
Sonde port
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
6161
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Signaux
pat-0558
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��ActiveMQ�������������� CacheSize�������CacheEnabled����SizePrefixDisabled��� MaxInactivityDurationInitalDelay�������'���Tcp
Requête brute (extrait)
��ActiveMQ�������������� CacheSize������ CacheEnabled����SizePrefixDisabled��� MaxInactivityDurationInitalDelay�������'���TcpNoDelayEnabled����MaxInactivityDuration�������u0��TightEncodingEnabled����StackTraceEnabled��
Meta JSON brut
{
"bytes_in": 221,
"payload_entropy": 4.825139331271603,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": null,
"app_proto": null,
"asn": 6939,
"country": "US",
"dst_port": 6161,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.7,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 15
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "db329834b7843090d4de1044f328ea31b051fcee",
"event_fingerprint": "dc35de7fcb0149ed20e2b54e16a0108be4bfc4fb",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0558"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 15,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "144567eebacfa857b574caabd70206e2",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 6161,
"risk_score": 44
},
"payload_preview": "\u0000\u0000\u0000\ufffd\u0001ActiveMQ\u0000\u0000\u0000\u0006\u0001\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\b\u0000\tCacheSize\u0005\u0000\u0000\u0004\u0000\u0000\fCacheEnabled\u0001\u0001\u0000\u0012SizePrefixDisabled\u0001\u0000\u0000 MaxInactivityDurationInitalDelay\u0006\u0000\u0000\u0000\u0000\u0000\u0000'\u0010\u0000\u0011Tcp",
"request_sample": "\u0000\u0000\u0000\ufffd\u0001ActiveMQ\u0000\u0000\u0000\u0006\u0001\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\b\u0000\tCacheSize\u0005\u0000\u0000\u0004\u0000\u0000\fCacheEnabled\u0001\u0001\u0000\u0012SizePrefixDisabled\u0001\u0000\u0000 MaxInactivityDurationInitalDelay\u0006\u0000\u0000\u0000\u0000\u0000\u0000'\u0010\u0000\u0011TcpNoDelayEnabled\u0001\u0001\u0000\u0015MaxInactivityDuration\u0006\u0000\u0000\u0000\u0000\u0000\u0000u0\u0000\u0014TightEncodingEnabled\u0001\u0001\u0000\u0011StackTraceEnabled\u0001\u0001",
"payload_snippet": "\u0000\u0000\u0000\ufffd\u0001ActiveMQ\u0000\u0000\u0000\u0006\u0001\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\b\u0000\tCacheSize\u0005\u0000\u0000\u0004\u0000\u0000\fCacheEnabled\u0001\u0001\u0000\u0012SizePrefixDisabled\u0001\u0000\u0000 MaxInactivityDurationInitalDelay\u0006\u0000\u0000\u0000\u0000\u0000\u0000'\u0010\u0000\u0011Tcp",
"evidence": {
"request_sample": "\u0000\u0000\u0000\ufffd\u0001ActiveMQ\u0000\u0000\u0000\u0006\u0001\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\b\u0000\tCacheSize\u0005\u0000\u0000\u0004\u0000\u0000\fCacheEnabled\u0001\u0001\u0000\u0012SizePrefixDisabled\u0001\u0000\u0000 MaxInactivityDurationInitalDelay\u0006\u0000\u0000\u0000\u0000\u0000\u0000'\u0010\u0000\u0011TcpNoDelayEnabled\u0001\u0001\u0000\u0015MaxInactivityDuration\u0006\u0000\u0000\u0000\u0000\u0000\u0000u0\u0000\u0014TightEncodingEnabled\u0001\u0001\u0000\u0011StackTraceEnabled\u0001\u0001",
"payload_snippet": "\u0000\u0000\u0000\ufffd\u0001ActiveMQ\u0000\u0000\u0000\u0006\u0001\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\b\u0000\tCacheSize\u0005\u0000\u0000\u0004\u0000\u0000\fCacheEnabled\u0001\u0001\u0000\u0012SizePrefixDisabled\u0001\u0000\u0000 MaxInactivityDurationInitalDelay\u0006\u0000\u0000\u0000\u0000\u0000\u0000'\u0010\u0000\u0011Tcp",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fd37b57d424b3026d66340386b8aeb3364b2a7c8",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 15,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 6161,
"protocol_emulated": null,
"tags_summary": [
"pat-0558"
],
"tags_summary_labels_fr": [
"pat-0558"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "6161"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
873 · RSYNC
|
rsync
|
rsync probe
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
net_rsync_probe
redis_rdb_sync
rsync_emulated
rsync_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
873
Chemin / cible
—
Pourquoi cette classification : Type « rsync_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "405253594e43443a2033312e3020686f6e6579706f74207273796e630a405253594e43443a2033312e3020686f6e6579706f74206d6f64756c65730a",
"emulator_response_len": 60,
"bytes_in": 42,
"payload_entropy": 4.266502839084849,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "rsync",
"app_proto": "rsync",
"asn": 6939,
"country": "US",
"dst_port": 873,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10
},
"risk_score": 34,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "ba612222d4768e5f58a1607ac2d9d2511f5239d7",
"event_fingerprint": "b8e7f2d6a44abcd0eaea4d28adc634b3cbaedb93",
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "rsync",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "befa1ea090df7b8f9bbcc964bdc5d1fc",
"path_pattern_hash": "fa887033768ad7efd3289b383db625e0"
},
"target_context": {
"dst_port": 873,
"service": "rsync",
"service_name": "rsync",
"risk_score": 34
},
"payload_preview": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4\n\n",
"request_sample": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4\n\n",
"payload_snippet": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4",
"evidence": {
"request_sample": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4\n\n",
"payload_snippet": "@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4",
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "453ddc6e7d181de518b648ee2f4dc71234952e1d",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "rsync",
"service_label_fr": "RSYNC",
"dst_port": 873,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-rsync",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rsync",
"service_banner": "honeypot-rsync",
"service_os": "linux",
"dst_port": "873"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_rsync_probe",
"redis_rdb_sync",
"rsync_emulated",
"rsync_payload",
"rsync_probe"
]
}
|
|
|
TCP |
873 · RSYNC
|
rsync
|
rsync probe
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
net_rsync_probe
redis_rdb_sync
rsync_emulated
rsync_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
873
Chemin / cible
—
Pourquoi cette classification : Type « rsync_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
@RSYNCD: 31.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "405253594e43443a2033312e3020686f6e6579706f74207273796e630a405253594e43443a2033312e3020686f6e6579706f74206d6f64756c65730a",
"emulator_response_len": 60,
"bytes_in": 14,
"payload_entropy": 3.8073549220576055,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "rsync",
"app_proto": "rsync",
"asn": 6939,
"country": "US",
"dst_port": 873,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10
},
"risk_score": 34,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "ba612222d4768e5f58a1607ac2d9d2511f5239d7",
"event_fingerprint": "b8e7f2d6a44abcd0eaea4d28adc634b3cbaedb93",
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "rsync",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dbc456a2cc47132c0c860fefa9f3bb45",
"path_pattern_hash": "fa887033768ad7efd3289b383db625e0"
},
"target_context": {
"dst_port": 873,
"service": "rsync",
"service_name": "rsync",
"risk_score": 34
},
"payload_preview": "@RSYNCD: 31.0\n",
"request_sample": "@RSYNCD: 31.0\n",
"payload_snippet": "@RSYNCD: 31.0",
"evidence": {
"request_sample": "@RSYNCD: 31.0\n",
"payload_snippet": "@RSYNCD: 31.0",
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "49b140b333d7baffc0ce5763af9e519a3c86d50c",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "rsync",
"service_label_fr": "RSYNC",
"dst_port": 873,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-rsync",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rsync",
"service_banner": "honeypot-rsync",
"service_os": "linux",
"dst_port": "873"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_rsync_probe",
"redis_rdb_sync",
"rsync_emulated",
"rsync_payload",
"rsync_probe"
]
}
|
|
|
TCP |
9000 · HTTP
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 45
|
|
Étape
Tentative d'exploit
Corrélations
Scan coordonné
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9000
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
72%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accep
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "80ed50a47ad6386e110103b40770259a62aae049",
"http_host_hash": "064fbdc555932d23d67bf2591639f6b292b96102",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.259046454057526,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 9000,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "24421d541809f378a94f055f49aae747dc5c0c97",
"event_fingerprint": "0c0dd7ea17d508d534a97210ab73e65299d4331d",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.72,
"classification_confidence": 0.72,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "860da5fd69b9a4398718dec0e118bfe0",
"payload_hash": "d11e2e27be1af839aa53168d7f84ae29",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9000,
"service": "http",
"service_name": "http",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nAccep",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nAccep",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nAccep",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a4c4ed30473891245e7edb19555593bc6e8c58e3",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "64.62.156.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "exploit_attempt",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
]
}
|
|
|
TCP |
82 · HTTP
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
82
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:82
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept:
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "ad27a0c503affdf866a122bef5f22ca7a7cfd174",
"http_host_hash": "b00c56701bd04898edc8a488547d32d613363649",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 159,
"payload_entropy": 5.247811811312705,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 82,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "39b03ee81ef13b98c0af55c09e73d3c33a944deb",
"event_fingerprint": "99d1fa91829a98776d27b93154df102b814f8f2d",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "fb50110a7e842d19fdf3bbfefc4b0e37",
"payload_hash": "3ee98ccdf0336e84c7981f27c186a1a9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 82,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0\r\nAccept:",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0\r\nAccept:",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0f91cbe1efc7e87ee217d4acce59aa010ab836a1",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "82"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploit_attempt",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5432
|
postgres
|
Sonde PostgreSQL
|
Élevée
|
Faible · 19
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
net_postgresql_probe
postgres_emulated
postgres_startup
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5432
Chemin / cible
—
Pourquoi cette classification : Type « postgresql_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "0000001252000000057573657200706f73746772657300",
"emulator_response_len": 23,
"bytes_in": 8,
"payload_entropy": 2.4056390622295662,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "postgres",
"app_proto": "postgres",
"asn": 6939,
"country": "US",
"dst_port": 5432,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0
},
"risk_score": 19,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "12b185c5c936d11db56861a0ba267c300ed0e15e",
"event_fingerprint": "4ccb9ae5aa8fe2eee37acc0e9b054ffd0269442f",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "694bec2754742b999eb8e010ccd19ce8",
"path_pattern_hash": "2e6f775d89e58a7f725edffbb3ac7743"
},
"target_context": {
"dst_port": 5432,
"service": "postgres"
},
"payload_preview": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"request_sample": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"payload_snippet": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"evidence": {
"request_sample": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"payload_snippet": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"classification_reason": "Type \u00ab postgresql_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"classification_reason": "Type \u00ab postgresql_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fb1e742fec84d78464642e564565a53a4350e198",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_postgresql_probe",
"postgres_emulated",
"postgres_startup"
]
}
|
|
|
TCP |
8086
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 39
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
13
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
net_web_probe
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8086
Chemin / cible
/favicon.ico
Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 94%
Confiance classification
94%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.7103.48 Safari/537.36
Règles WAF
rce-0
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:8086
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8086 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.7103.48 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573",
"emulator_response_len": 165,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "f61beacb9bf1c63ca75ac821a0c1f227db476592",
"http_host_hash": "dca14bd323afb7abea7bafa539fc0b23ad09cfc0",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 217,
"payload_entropy": 5.409682891198272,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 8086,
"risk_waf": 60,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 60,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 39,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ba7297ebbb265fdc848910cda0d09ed0eb083486",
"event_fingerprint": "0a3b3cc641a8b90ecec36bb3250aab9a0543f072",
"classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 94%",
"confidence": 0.94,
"classification_confidence": 0.94,
"precision_score": 102,
"precision_signals": [
"INT-benign-favicon",
"INT-single-port",
"INT-benign-path-cap"
],
"kb_rule_ids": [
"INT-benign-favicon",
"INT-single-port",
"INT-benign-path-cap"
],
"risk_confidence_factor": 94,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e02856d9b5b9b4f2128023fe13ccbf9f",
"payload_hash": "fd114f55e19f1b52ac1a56f7b7971b89",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 8086,
"service": "http"
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.7103.48 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.7103.48 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.7103.48 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.7103.48 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM",
"classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 94%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ff96196325eb12aca6fc5a9a2087b8302208fc13",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"net_web_probe"
]
}
|
|
|
TCP |
8086
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 48
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8086
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8086
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) C
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8086 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573",
"emulator_response_len": 165,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d6bbb94534357fd72da436fcb8989405ec7d4fca",
"http_host_hash": "dca14bd323afb7abea7bafa539fc0b23ad09cfc0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 197,
"payload_entropy": 5.394087143893746,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 8086,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 48,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "42b58b6bad95ee7bfee3964e059621327cd1a60a",
"event_fingerprint": "a341a4dcb9002272281a0aa0745f5ed5175a126b",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "1f74cf353897baa1c2c58a1e0c192384",
"payload_hash": "979b036c612f65807f1aa4cbc81e9b6c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8086,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/116.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/116.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/116.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/116.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f70de3a53e012f0473f5bd9a54bc178e717a7a66",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
]
}
|
|
|
TCP |
9000
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 45
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9000
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/12
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "60bb052004c3480e85911ac42c788ff96cb72f89",
"http_host_hash": "064fbdc555932d23d67bf2591639f6b292b96102",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 171,
"payload_entropy": 5.1860790156502565,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 9000,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "24421d541809f378a94f055f49aae747dc5c0c97",
"event_fingerprint": "0c0dd7ea17d508d534a97210ab73e65299d4331d",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e652bd328d436bacf8e2668dac78904b",
"payload_hash": "df0537554343a1ec89b2273a31cdb573",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9000,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko\/20100101 Firefox\/12",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko\/20100101 Firefox\/120.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko\/20100101 Firefox\/120.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko\/20100101 Firefox\/12",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko\/20100101 Firefox\/120.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko\/20100101 Firefox\/120.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko\/20100101 Firefox\/12",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4979ba449c1fba9ae8e53e5f7fa7b07b861c72b7",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
]
}
|
|
|
TCP |
5900
|
vnc
|
Sonde VNC
|
Élevée
|
Faible · 8
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
net_vnc_probe
vnc_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5900
Chemin / cible
—
Pourquoi cette classification : Type « vnc_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "524642203030332e3030380a",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "vnc",
"app_proto": "vnc",
"asn": 6939,
"country": "US",
"dst_port": 5900,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0
},
"risk_score": 8,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "85454e6c29c51aac1db940d56f57ff1075b15dc1",
"event_fingerprint": "3a1818c09cc3b5e6ad75703011c0dde91c1bf15b",
"classification_reason": "Type \u00ab vnc_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "61f146998107ee0d48dcdbbf16d99fc0"
},
"target_context": {
"dst_port": 5900,
"service": "vnc"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6c92db80f81db279040ec62d13e536f98beb667e",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_vnc_probe",
"vnc_emulated"
]
}
|
|
|
TCP |
8888
|
http
|
Sonde HTTP
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_web_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8888
Chemin / cible
/
Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 73%
Confiance classification
73%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
HTTP alt 8888 probe
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/120.0.6099.28 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Headle
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8888 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/120.0.6099.28 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "86d22294859a7a0db4528e583ce7b13983b74ab5",
"http_host_hash": "25a58e7d7f0ed40aadf0d51b038172ea9ccc8435",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 204,
"payload_entropy": 5.4767789601067705,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 8888,
"risk_waf": 72,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 72,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "e11c1b827d438ca6f81f14ef35ff35f7c31ff992",
"event_fingerprint": "d96673c00b57d970f6555d6dff66c77e09351a74",
"classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 73%",
"confidence": 0.73,
"classification_confidence": 0.73,
"precision_score": 82,
"precision_signals": [
"pat-0599",
"INT-single-port"
],
"kb_rule_ids": [
"pat-0599",
"INT-single-port"
],
"matched_patterns": [
"pat-0599"
],
"matched_pattern_names": [
"HTTP alt 8888 probe"
],
"pattern_ids": [
"pat-0599"
],
"risk_confidence_factor": 73,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "90dbcfbbb944e84a785a89d4e8079ec4",
"payload_hash": "2a2a383253f2a35a7f85d31825a7b752",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8888,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Headle",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) HeadlessChrome\/120.0.6099.28 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) HeadlessChrome\/120.0.6099.28 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Headle",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) HeadlessChrome\/120.0.6099.28 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) HeadlessChrome\/120.0.6099.28 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Headle",
"classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 73%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a5cf621a2f6673c0fe24b2fc946e58520c966e8a",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_web_probe"
]
}
|
|
|
TCP |
30005
|
http
|
Tentative d'exploit
|
Élevée
|
Moyen · 48
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30005
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:30005
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Ac
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:30005 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "4967c12be75611dd5228cefc4da133e1652fc191",
"http_host_hash": "35199aec1f494705c37d247e1616159f8ad2f9f2",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 164,
"payload_entropy": 5.2386736805836875,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 30005,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "61742d2c3ccc23b1a3161282ddfbf7de592e93b2",
"event_fingerprint": "87db80557f4a341f363ca9197565ccb142f49992",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "86687a5809688b948cd4a3e6cf81421e",
"payload_hash": "489dff2dea483f8c1b6b59c2a80cea2c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 30005,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko\/20100101 Firefox\/54.0\r\nAc",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko\/20100101 Firefox\/54.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko\/20100101 Firefox\/54.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko\/20100101 Firefox\/54.0\r\nAc",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko\/20100101 Firefox\/54.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko\/20100101 Firefox\/54.0\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30005\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko\/20100101 Firefox\/54.0\r\nAc",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fa1657ed7cdd8218840865fb93c8f22a3578e3fb",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
3333
|
stratum
|
Sonde Stratum (mining)
|
Élevée
|
Faible · 26
|
|
Étape
Commande & contrôle
MITRE
TA0011
WAF
—
Recommandation
Surveiller
Tags
net_stratum_probe
stratum_emulated
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
3333
Chemin / cible
—
Pourquoi cette classification : Type « stratum_probe » (signaux protocolaires) · confiance 86%
Confiance classification
86%
Tactiques MITRE
TA0011
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��$�x��
�J(/l�lJ?��p��w����|��� �[����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "7b226964223a312c22726573756c74223a5b5b5b226d696e696e672e6e6f74696679225d5d5d2c226572726f72223a6e756c6c7d0a",
"emulator_response_len": 53,
"bytes_in": 128,
"payload_entropy": 4.767514444322512,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "stratum",
"app_proto": "stratum",
"asn": 6939,
"country": "US",
"dst_port": 3333,
"risk_waf": 8,
"risk_classification": 76,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 76,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 26,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "d7bb092f895f6f3fc97a73c045b092ba75000805",
"event_fingerprint": "6ef3c9e053ecb665424f0c9a5c533bc1d7d1d11c",
"classification_reason": "Type \u00ab stratum_probe \u00bb (signaux protocolaires) \u00b7 confiance 86%",
"confidence": 0.86,
"classification_confidence": 0.86,
"precision_score": 97,
"precision_signals": [
"INT-stratum_rpc",
"INT-upstream"
],
"kb_rule_ids": [
"INT-stratum_rpc",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 86,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2a1cef15b21963c96b42712cc36526fd",
"path_pattern_hash": "4f23774559b8338847916770500f20fe"
},
"target_context": {
"dst_port": 3333,
"service": "stratum"
},
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003$\ufffdx\ufffd\u000f\n\ufffdJ(\/l\blJ?\u001e\ufffdp\u0011\ufffdw\ufffd\ufffd\ufffd\ufffd|\u0006\u000b\f\t\ufffd[\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003$\ufffdx\ufffd\u000f\n\ufffdJ(\/l\blJ?\u001e\ufffdp\u0011\ufffdw\ufffd\ufffd\ufffd\ufffd|\u0006\u000b\f\t\ufffd[\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003$\ufffdx\ufffd\u000f\n\ufffdJ(\/l\blJ?\u001e\ufffdp\u0011\ufffdw\ufffd\ufffd\ufffd\ufffd|\u0006\u000b\f\t\ufffd[\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003$\ufffdx\ufffd\u000f\n\ufffdJ(\/l\blJ?\u001e\ufffdp\u0011\ufffdw\ufffd\ufffd\ufffd\ufffd|\u0006\u000b\f\t\ufffd[\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003$\ufffdx\ufffd\u000f\n\ufffdJ(\/l\blJ?\u001e\ufffdp\u0011\ufffdw\ufffd\ufffd\ufffd\ufffd|\u0006\u000b\f\t\ufffd[\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"classification_reason": "Type \u00ab stratum_probe \u00bb (signaux protocolaires) \u00b7 confiance 86%"
},
"attack_stage": "c2",
"mitre_tactics": [
"TA0011"
],
"threat_family": [
"cryptominer",
"cryptominer"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "83bd7067e0b13de444a43a2e0cb01d3869b4fd39",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_stratum_probe",
"stratum_emulated",
"tls_clienthello"
]
}
|
|
|
TCP |
88
|
http
|
web attack
|
Élevée
|
Moyen · 49
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
88
Chemin / cible
/
Confiance classification
89%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d89915a2c5c7e090023dd9986dca1004ac094f3d",
"http_host_hash": "3f53fd38a0b70842554ee03ec3c54d18c411dc66",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 169,
"payload_entropy": 5.244856538321706,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"dst_port": 88,
"risk_waf": 72,
"risk_classification": 80,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 72,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 49,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "0c77833ec325919bf5c13205308a7b02c87815ca",
"event_fingerprint": "6840b463c7f2afb1d7a870a09905277e24a1cba5",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "08a7a31a561f7e831ba9544525d86abb",
"payload_hash": "af9067a235f102aceaae78399f98ded2",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 88,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.89,
"classification_confidence": 0.89,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/115.",
"event_signature": "61e41cb412779074491fdeda271962573d6a89df",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
2525
|
tls
|
Sonde TLS
|
Élevée
|
Faible · 14
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2525
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����{���w��N�f��Bo���i%�q'CQ9���Y�Ĩ�ѷ[�5K����/�+������� ���
���/�5���
���4����������
�����������������
����������������������
Meta JSON brut
{
"tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 128,
"payload_entropy": 4.888684561543816,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "tls",
"app_proto": "tls",
"asn": 6939,
"country": "US",
"risk_waf": 0,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_breakdown": {
"waf": 0,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 14,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "70836d31869a19f9ea12fae07404daf9d0307458",
"event_fingerprint": "a5543b0253b16d50cf38091c938c125f7d919307",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 6939,
"org": "Hurricane Electric LLC",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "cba7f34191ef2379c1325641f6c6c4f4",
"payload_hash": "8146b19541a1c304ce4710b914afb66e",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 2525,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003N\ufffdf\ufffd\ufffdBo\ufffd\ufffd\u0015i%\ufffdq'CQ9\ufffd\u0004\ufffdY\ufffd\u0128\f\u0477[\ufffd5K\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"event_signature": "215fd1b1d0c875ec874fc3f87a5a4b7661cdc3bf",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
17017
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
17017
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6914089f18375e75f73bc384e06655c2a389b72a",
"http_host_hash": "629377962bd8b43014bd32e2d605bbf011d55d99",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 217,
"payload_entropy": 5.3520510292123165,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "fecc9214dd2fbc57be24569c524a70af56998d02",
"event_fingerprint": "34b153f4e63b0780219ccad5334f455091452e08",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
2101
|
http
|
Sonde HTTP
|
Élevée
|
Moyen · 57
|
|
Étape
—
WAF
3
Recommandation
—
Tags
950734:sap-sapcontrol-path
http_missing_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2101
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
NTRIP
Règles WAF
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0bae62ac14bbe59ee26262f16729028baddf0654",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 73,
"payload_entropy": 4.714170114867805,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 2,
"anomaly_count": 0,
"risk_score": 57,
"campaign_key": "aa8d6972bd0b406f2c29e798d5b4196274e37325",
"event_fingerprint": "55d938b1377cbc0df3239afdabb39b3f6f262b5f",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_missing_host"
]
}
|
|
|
TCP |
5801
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
1200
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
135
|
msrpc
|
msrpc
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8006
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
25
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
25
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Safari/605.1.15
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "90707161f7c6db88bc046b88a4ea238e1dc5f571",
"http_host_hash": "d696a5caa150e944b985fffcaa3ccb09c607a25d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 206,
"payload_entropy": 5.321494479873487,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "624347722ed08ce2d1c3c0e8bb12451ab3374512",
"event_fingerprint": "93a69dbba338e88dd3f786b0545c951744e1e971",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
801
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
801
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "33b0fadeadd2d92f342c18a9d3267662a39123b0",
"http_host_hash": "7fcf178b2cbd7428736dd988ee2cc7c3810d4aa7",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.228718790188313,
"port_category": "well_known",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "1d33457d9fecdd2d5226c05f0ab488c2d75d46dc",
"event_fingerprint": "adc3cfe928cb8d3d0cd29a6d500abf89f9130b7a",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
2323
|
—
|
port attack
|
Élevée
|
Élevé · 72
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
20001
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20001
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.3
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "224532780fe2e707ad4c403542e7306b48753b17",
"http_host_hash": "7b7ceeb8769b41299faf7c8b50702f8be7063897",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 202,
"payload_entropy": 5.371469592149826,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "449961f6b595d63e3572d8e7acbaa098adff49ac",
"event_fingerprint": "b8ca5da7cb4a4587f6605ef66c75905a38ef1186",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
8888
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8888
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
8040
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
16
Recommandation
—
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8040
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 OPR/94.0.0.0 (Edition Yx GX)
Règles WAF
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "8f94305f9adfc48a88d2ee05602a8b90e6e75a27",
"http_host_hash": "536ef780c53aff4571829d7569317b48bd3c681f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 231,
"payload_entropy": 5.440536377187325,
"port_category": "registered",
"org": "Hurricane Electric LLC",
"service": "http",
"app_proto": "http",
"asn": 6939,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "50cbb84fc7c36c26cff0632db2c0629820657bc8",
"event_fingerprint": "3b2cb7fd56ea7d94d7e39e2e65190a596a46a3c9",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
6002
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
2083
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|