Renseignement sur les menaces

États-Unis

71.6.134.204

FAI CariNet, Inc. Première vue 03/06/2026 22:51 UTC Dernière vue 20/06/2026 23:05 UTC Risque Moyen

Période analysée : 2026-06-14 → 2026-06-21

Activité suspecte — risque 47/100 (Moyen) — MITRE TA0001 — confiance 62 % — via HTTP

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 50/100 Moyen

Première observation 03/06/2026 22:51 UTC

Dernière observation 20/06/2026 23:05 UTC

Événements (période) 33

MITRE ATT&CK principal TA0007 21 occurrences

Activité suspecte — risque 47/100 (Moyen) — MITRE TA0001 — confiance 62 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Tentative d'exploit (tag rce-0) · confiance 62%

Confiance 62 % — Score WAF 72 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 10439 · 71.6.128.0/17 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 33 événements sur la période pour cette IP.

66.240.205.34 netbus 21/06/2026 07:54 UTC
71.6.134.230 Tentative d'exploit 21/06/2026 07:11 UTC
71.6.199.87 modbus probe 21/06/2026 05:45 UTC
71.6.199.23 Sonde TLS 21/06/2026 02:00 UTC
66.240.223.240 Sonde SMB 21/06/2026 01:40 UTC
71.6.199.65 Sonde port 5900/TCP 20/06/2026 21:59 UTC
71.6.147.254 Sonde port 20/06/2026 21:00 UTC
71.6.135.131 splunk-hec 20/06/2026 16:11 UTC

Événements (filtres)

Première observation

03/06/2026 22:51 UTC

Dernière observation

20/06/2026 23:05 UTC

Dernière activité (filtres)

20/06/2026 23:05 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 17 SMB TCP 4 TLS TCP 3 SSH TCP 3 HTTP ALT 8081 TCP 1 HTTP ALT 8088 TCP 1 HTTP ALT 8880 TCP 1 AJP TCP 1 PROMETHEUS TCP 1 HTTP ALT 8008 TCP 1

HTTP

SMB

TLS

SSH

HTTP ALT 8081

HTTP ALT 8088

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

CariNet, Inc. 0 Port 15000 exploit_attempt

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

exploit attempt · via HTTP:15000 · (tentative d'exploit)

Détails protocole

Méthode: GET
Chemin: /
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 S…

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:15000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge

Port / service

15000 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 62 % — 3 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1190

Confiance

62%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

33 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

33 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
20/06/2026 23:05:57 UTC	TCP	15000 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:15000 · (tentative d'exploit)	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 15000 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:15000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:15000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "2f30d0aee5795b36e475e61f65b86a61fa1f07da", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 203, "payload_entropy": 5.3554069498881915, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 15000, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e2daf0afadfe502698a1d3a41bddf2217476c444", "event_fingerprint": "df891f25a6dffac4e24386418e98addb1e6f1fbe", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "1c3e0cc81d5c9c0e2f8948c32bbc7024", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 15000, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "827be03fc7f930eb62785578613d80a643eb8720", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 15000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge", "attack_vector": "exploit attempt \u00b7 via HTTP:15000 \u00b7 (tentative d'exploit)", "target_port_label": "15000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 15000, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 15000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:15000 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge", "target_port_label": "15000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "15000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
19/06/2026 10:58:16 UTC	TCP	8880 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8880 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600", "emulator_response_len": 130, "http_header_count": 3, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "705e57393925ae4499d6cc481be3dac8642e294d", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.379412140869005, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8880, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3ac09fdfe4b202ead7286124b3d1936b52a9e85e", "event_fingerprint": "22b180357aadd6621c83358db48bed7dd2e041d1", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "67d3310e86e3a18fe5c999dd557f5535", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "549b6689aad64516123ad233f9373ffe7296031a", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8880, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "8880 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8880, "protocol_emulated": true, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8880, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8880 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
19/06/2026 10:57:48 UTC	TCP	8880 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8880 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "705e57393925ae4499d6cc481be3dac8642e294d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.3946871957928595, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8880, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9c30ce3198befc881fb2b9eff62dd52155021f5f", "event_fingerprint": "d02d0cf983692d58cdb0cfca4295b2fba7206c25", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "a1a4879678a32135487d2a2816fce9ea", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5c927a9686f230f76e60ed6b3945a0b23b66ce5d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8880, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:8880 \u00b7 (tentative d'exploit)", "target_port_label": "8880 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8880, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8880, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8880 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "8880 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
19/06/2026 10:42:16 UTC	TCP	8880 · HTTP ALT 8880	http-alt-8880	Sonde PostgreSQL postgres probe · via HTTP ALT 8880:8880 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 a0700378bd6d58aa Émulateur HTTP-ALT-8880 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8880 Chemin / cible — Service HTTP ALT 8880 Payload ��~i��nAh��=D��h℔�h~�^؋^x�W >��Q�riNHv�}�U��m��3"l� jj�+�/�,�0̨̩��/5 Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��~i��nAh��=D��h℔�h~�^؋^x�W >��Q�riNHv�}�U��m��3"l� jj�+�/�,�0̨̩��/5 Requête brute (extrait) ��~i��nAh��=D��h℔�h~�^؋^x�W >��Q�riNHv�}�U��m��3"l� jj�+�/�,�0̨̩��/5 # �+ 3&$ � c�Q��4��֎LӁ��#:�&`�JM<҈�L Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 241, "payload_entropy": 5.8654720750099605, "port_category": "registered", "org": "CariNet, Inc.", "service": "http-alt-8880", "app_proto": "http-alt-8880", "asn": 10439, "country": "US", "dst_port": 8880, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a678a325f39f135d725fa17d8a0ab23c974128d7", "event_fingerprint": "cd275046284c79b2c8b267829c0a7456b4c77905", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8880", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f46f72fe771a805dc7ee2fe1d8d9c932", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "a0700378bd6d58aa3d948e7a0722042b", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "a0700378bd6d58aa3d948e7a0722042b", "tls_ja3": "771,27242-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8880, "service": "http-alt-8880", "service_name": "http-alt-8880", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001~\u000fi\ufffd\ufffdnAh\u001d\ufffd\ufffd=D\ufffd\ufffdh\u2114\ufffdh~\ufffd^\u060b^x\ufffdW >\ufffd\u000f\ufffdQ\u001e\ufffdriN\u0001Hv\ufffd}\ufffdU\ufffd\ufffdm\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\u0019\ufffd3\"l\ufffd\u0000 jj\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001~\u000fi\ufffd\ufffdnAh\u001d\ufffd\ufffd=D\ufffd\ufffdh\u2114\ufffdh~\ufffd^\u060b^x\ufffdW >\ufffd\u000f\ufffdQ\u001e\ufffdriN\u0001Hv\ufffd}\ufffdU\ufffd\ufffdm\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\u0019\ufffd3\"l\ufffd\u0000 jj\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\fc\ufffd\u0006Q\u001f\ufffd\ufffd4\ufffd\ufffd\u058eL\u04c1\ufffd\ufffd#:\ufffd&`\ufffdJM<\u0488\ufffdL", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001~\u000fi\ufffd\ufffdnAh\u001d\ufffd\ufffd=D\ufffd\ufffdh\u2114\ufffdh~\ufffd^\u060b^x\ufffdW >\ufffd\u000f\ufffdQ\u001e\ufffdriN\u0001Hv\ufffd}\ufffdU\ufffd\ufffdm\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\u0019\ufffd3\"l\ufffd\u0000 jj\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "120f0f7f41271e6c28f99c04d2f3a8c9ed01e0a2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001~\u000fi\ufffd\ufffdnAh\u001d\ufffd\ufffd=D\ufffd\ufffdh\u2114\ufffdh~\ufffd^\u060b^x\ufffdW >\ufffd\u000f\ufffdQ\u001e\ufffdriN\u0001Hv\ufffd}\ufffdU\ufffd\ufffdm\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\u0019\ufffd3\"l\ufffd\u0000 jj\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "a0700378bd6d58aa3d948e7a0722042b", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8880, "service": "http-alt-8880", "service_label_fr": "HTTP ALT 8880" }, "evidence_snippet": "\ufffd\ufffd~i\ufffd\ufffdnAh\ufffd\ufffd=D\ufffd\ufffdh\u2114\ufffdh~\ufffd^\u060b^x\ufffdW >\ufffd\ufffdQ\ufffdriNHv\ufffd}\ufffdU\ufffd\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd3\"l\ufffd jj\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)", "target_port_label": "8880 \u00b7 HTTP ALT 8880", "emulator_service": "http-alt-8880", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8880", "service_label_fr": "HTTP ALT 8880", "dst_port": 8880, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8880", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001~\u000fi\ufffd\ufffdnAh\u001d\ufffd\ufffd=D\ufffd\ufffdh\u2114\ufffdh~\ufffd^\u060b^x\ufffdW >\ufffd\u000f\ufffdQ\u001e\ufffdriN\u0001Hv\ufffd}\ufffdU\ufffd\ufffdm\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\u0019\ufffd3\"l\ufffd\u0000 jj\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "a0700378bd6d58aa3d948e7a0722042b", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8880, "service": "http-alt-8880", "service_label_fr": "HTTP ALT 8880" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd~i\ufffd\ufffdnAh\ufffd\ufffd=*D\ufffd\ufffdh\u2114\ufffdh~\ufffd^\u060b^x\ufffdW >\ufffd\ufffdQ\ufffdriNHv\ufffd}\ufffdU\ufffd\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd3\"l\ufffd jj\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "8880 \u00b7 HTTP ALT 8880", "emulator_service": "http-alt-8880", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8880", "service_banner": "honeypot-http-alt-8880", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
19/06/2026 05:03:04 UTC	TCP	8088 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8088 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8088 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8088 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8088 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600", "emulator_response_len": 130, "http_header_count": 3, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.379412140869005, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8088, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c921a8f991686662492d172163fc1a98957ea873", "event_fingerprint": "2c27a00d09a4cd093e7e046a670fefba0a42e3d4", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "a8365f810e801dc11b67fc1021a91a06", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "41525581c1e5034d8a2f89108bbc9e6a1c29531c", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8088 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8088 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
19/06/2026 05:02:35 UTC	TCP	8088 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8088 · (tentative d'exploit)	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8088 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8088 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8088 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.3946871957928595, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8088, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 48, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ae56f860171955f2b288985a500c23cee42d529f", "event_fingerprint": "37d96fce8f60b477529ee3ee20f66ccf08b6b641", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "bee7e4cc966da1f4b4a0c0d11402a1ff", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "435fdc9f952ed0bc00365aededc9e13b54f8888f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit)", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 48 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8088 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
19/06/2026 04:46:55 UTC	TCP	8088 · HTTP ALT 8088	http-alt-8088	Sonde PostgreSQL postgres probe · via HTTP ALT 8088:8088 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 8325ea77b93f33be Émulateur HTTP-ALT-8088 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8088 Chemin / cible — Service HTTP ALT 8088 Payload ��~��E6]��v��z��޻ �+[#� ��J�CrgD�0�ZI1�\|!�P� ��+�/�,�0̨̩��/5 Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��~��E6]��v��z��޻ �+[#� ��J�CrgD�0�ZI1�\|!�P� ��+�/�,�0̨̩��/5 Requête brute (extrait) ��~��E6]��v��z��޻ �+[#� ��J�CrgD�0�ZI1�\|!�P� ��+�/�,�0̨̩��/5 # �+ 3&$ ��A��j��\|� �M�!�GeY�oPHK Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 241, "payload_entropy": 5.787650965042482, "port_category": "registered", "org": "CariNet, Inc.", "service": "http-alt-8088", "app_proto": "http-alt-8088", "asn": 10439, "country": "US", "dst_port": 8088, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c6a5539a7fac0faf399c0a215ac9450c24753038", "event_fingerprint": "e4439b80d6e4b371d582e64e67ce8ed1e436ce25", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8088", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4a8448925751ef1dbe4538c3feb16d41", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "8325ea77b93f33be4d29ac9cf18e23a8", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "8325ea77b93f33be4d29ac9cf18e23a8", "tls_ja3": "771,56026-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8088, "service": "http-alt-8088", "service_name": "http-alt-8088", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~\ufffd\ufffdE6]\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdz\ufffd\ufffd\u001e\ufffd\u07bb \ufffd+[\b#\ufffd \ufffd\ufffdJ\ufffdCrg\u0007\u0006D\u001d\ufffd0\ufffdZI1\b\ufffd\|!\ufffdP\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~\ufffd\ufffdE6]\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdz\ufffd\ufffd\u001e\ufffd\u07bb \ufffd+[\b#\ufffd \ufffd\ufffdJ\ufffdCrg\u0007\u0006D\u001d\ufffd0\ufffdZI1\b\ufffd\|!\ufffdP\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\|\ufffd\t\ufffd\u0003M\ufffd!\ufffdGeY\ufffdoPHK\u0004", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~\ufffd\ufffdE6]\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdz\ufffd\ufffd\u001e\ufffd\u07bb \ufffd+[\b#\ufffd \ufffd\ufffdJ\ufffdCrg\u0007\u0006D\u001d\ufffd0\ufffdZI1\b\ufffd\|!\ufffdP\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "57b8bf42ec284207de0085f797a0257bc76124a0", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~\ufffd\ufffdE6]\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdz\ufffd\ufffd\u001e\ufffd\u07bb \ufffd+[\b#\ufffd \ufffd\ufffdJ\ufffdCrg\u0007\u0006D\u001d\ufffd0\ufffdZI1\b\ufffd\|!\ufffdP\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "8325ea77b93f33be4d29ac9cf18e23a8", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8088, "service": "http-alt-8088", "service_label_fr": "HTTP ALT 8088" }, "evidence_snippet": "\ufffd\ufffd~\ufffd\ufffdE6]\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffd\u07bb \ufffd+[#\ufffd \ufffd\ufffdJ\ufffdCrgD\ufffd0\ufffdZI1\ufffd\|!\ufffdP\ufffd \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)", "target_port_label": "8088 \u00b7 HTTP ALT 8088", "emulator_service": "http-alt-8088", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8088", "service_label_fr": "HTTP ALT 8088", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8088", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~\ufffd\ufffdE6]\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\u0004\ufffd\ufffd\ufffdz\ufffd\ufffd\u001e\ufffd\u07bb \ufffd+[\b#\ufffd \ufffd\ufffdJ\ufffdCrg\u0007\u0006D\u001d\ufffd0\ufffdZI1\b\ufffd\|!\ufffdP\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "8325ea77b93f33be4d29ac9cf18e23a8", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8088, "service": "http-alt-8088", "service_label_fr": "HTTP ALT 8088" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8088:8088 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd~\ufffd\ufffdE6]\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffd\u07bb \ufffd+[#\ufffd \ufffd\ufffdJ\ufffdCrgD\ufffd0\ufffdZI1\ufffd\|!\ufffdP\ufffd \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "8088 \u00b7 HTTP ALT 8088", "emulator_service": "http-alt-8088", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8088", "service_banner": "honeypot-http-alt-8088", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
18/06/2026 22:14:56 UTC	TCP	4500 · HTTP	http	ipsec probe ipsec probe · via HTTP:4500 · (sonde / probe)	Élevée	Moyen · 43
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4500 Chemin / cible / Service HTTP Pourquoi cette classification : Type « ipsec_probe » (signaux protocolaires) · confiance 37% Confiance classification 37% Confiance modérée — signal unique Risque capteur Moyen · 43 Confiance : Confiance 37 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0637 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) IKE NAT-T port Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "624251ca10fd49fd6c8c0ca4b707265b64633d2c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.364296277538317, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 4500, "risk_waf": 72, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 72, "classification": 48, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 43, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6ca3381de7af48b05105fbfdc40ed38c81f7c56d", "event_fingerprint": "e20298a458848dc5b05d194de3f1c8d2c86d177f", "classification_reason": "Type \u00ab ipsec_probe \u00bb (signaux protocolaires) \u00b7 confiance 37%", "confidence": 0.37, "classification_confidence": 0.37, "precision_score": 44, "precision_signals": [ "pat-0637" ], "kb_rule_ids": [ "pat-0637" ], "matched_patterns": [ "pat-0637" ], "matched_pattern_names": [ "IKE NAT-T port" ], "pattern_ids": [ "pat-0637" ], "confidence_breakdown": { "waf": 72, "classification": 48, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 37, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "4ae0382d89571afa49a7c657bb4cf0f9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 4500, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Type \u00ab ipsec_probe \u00bb (signaux protocolaires) \u00b7 confiance 37%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "778b20f48830913ea55da7af0d6b84db3e23f273", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 4500, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "ipsec probe \u00b7 via HTTP:4500 \u00b7 (sonde \/ probe)", "target_port_label": "4500 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 37 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab ipsec_probe \u00bb (signaux protocolaires) \u00b7 confiance 37%", "classification_reason_label_fr": "Type \u00ab ipsec_probe \u00bb (signaux protocolaires) \u00b7 confiance 37%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 43\/100", "confidence_pct": 37, "confidence_breakdown": { "waf": 72, "classification": 48, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4500, "protocol_emulated": null, "tags_summary": [ "pat-0637" ], "tags_summary_labels_fr": [ "pat-0637" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 4500, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ipsec probe \u00b7 via HTTP:4500 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4500\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "4500 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 37 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 37 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4500" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
18/06/2026 21:59:27 UTC	TCP	4500 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:4500 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 273ee16f367b64a0 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4500 Chemin / cible — Service TLS Payload ��F�"�!��P=z3�z j" (�J�%�q]oͱ� �᳕o�١��f@��N�Z\|s�q_q�i��/�PD ��+�/�,�0̨̩��/5 Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ IKE NAT-T port User-Agent — Règles WAF — Payload (extrait) ��F�"�!��P=z3�z j" (�J�%�q]oͱ� �᳕o�١��f@��N�Z\|s�q_q�i��/�PD ��+�/�,�0̨̩��/5 Requête brute (extrait) ��F�"�!��P=z3�z j" (�J�%�q]oͱ� �᳕o�١��f@��N�Z\|s�q_q�i��/�PD ��+�/�,�0̨̩��/5 # �+ 3&$ f:I��b?Q��Q(��B�R��{�l�� Meta JSON brut { "tls_ja3_hash": "273ee16f367b64a0ac6ce842f52c43f8", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 2, "bytes_in": 241, "payload_entropy": 5.9241157041456205, "port_category": "registered", "org": "CariNet, Inc.", "service": "tls", "app_proto": "tls", "asn": 10439, "country": "US", "dst_port": 4500, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "54c513e34118c5890798d860cdf54a016f3a2b6c", "event_fingerprint": "5372139079c20f4dd3e6c9c4565f3a82db008a7e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0637" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "IKE NAT-T port" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0637" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "273ee16f367b64a0ac6ce842f52c43f8", "payload_hash": "d1f3ba430f30ca9fbc67971289fdcd5e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,35466-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4500, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012F\ufffd\"\ufffd!\ufffd\ufffdP=z3\ufffdz j\" (\ufffdJ\ufffd%\ufffdq]o\u0017\u0371\ufffd \ufffd\u1cd5o\ufffd\u0661\ufffd\ufffdf@\ufffd\ufffdN\ufffdZ\|s\ufffdq_q\ufffdi\ufffd\ufffd\/\ufffdPD\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012F\ufffd\"\ufffd!\ufffd\ufffdP=z3\ufffdz j\" (\ufffdJ\ufffd%\ufffdq]o\u0017\u0371\ufffd \ufffd\u1cd5o\ufffd\u0661\ufffd\ufffdf@\ufffd\ufffdN\ufffdZ\|s\ufffdq_q\ufffdi\ufffd\ufffd\/\ufffdPD\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 f:I\u001f\u0007\ufffd\ufffd\u000e\u0010\ufffdb?Q\ufffd\ufffd\ufffdQ(\ufffd\ufffdB\ufffdR\ufffd\ufffd\ufffd{\ufffdl\ufffd\ufffd\u0015", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012F\ufffd\"\ufffd!\ufffd\ufffdP=z3\ufffdz j\" (\ufffdJ\ufffd%\ufffdq]o\u0017\u0371\ufffd \ufffd\u1cd5o\ufffd\u0661\ufffd\ufffdf@\ufffd\ufffdN\ufffdZ\|s\ufffdq_q\ufffdi\ufffd\ufffd\/\ufffdPD\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "366d0097fae7aecd34c156ef40606e6cc3d520a8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012F\ufffd\"\ufffd!\ufffd\ufffdP=z3\ufffdz j\" (\ufffdJ\ufffd%\ufffdq]o\u0017\u0371\ufffd \ufffd\u1cd5o\ufffd\u0661\ufffd\ufffdf@\ufffd\ufffdN\ufffdZ\|s\ufffdq_q\ufffdi\ufffd\ufffd\/\ufffdPD\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "273ee16f367b64a0ac6ce842f52c43f8", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 4500, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdF\ufffd\"\ufffd!\ufffd\ufffdP=z3\ufffdz j\" (\ufffdJ\ufffd%\ufffdq]o\u0371\ufffd \ufffd\u1cd5o\ufffd\u0661\ufffd\ufffdf@\ufffd\ufffdN\ufffdZ\|s\ufffdq_q\ufffdi\ufffd\ufffd\/\ufffdPD \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via TLS:4500 \u00b7 (sonde \/ probe)", "target_port_label": "4500 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 4500, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0012F\ufffd\"\ufffd!\ufffd\ufffdP=z3\ufffdz j\" (\ufffdJ\ufffd%\ufffdq]o\u0017\u0371\ufffd \ufffd\u1cd5o\ufffd\u0661\ufffd\ufffdf@\ufffd\ufffdN\ufffdZ\|s\ufffdq_q\ufffdi\ufffd\ufffd\/\ufffdPD\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "273ee16f367b64a0ac6ce842f52c43f8", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 4500, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:4500 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdF\ufffd\"\ufffd!\ufffd\ufffdP=z3\ufffdz j\" (\ufffdJ\ufffd%\ufffdq]o\u0371\ufffd \ufffd\u1cd5o\ufffd\u0661\ufffd\ufffdf@\ufffd\ufffdN\ufffdZ\|s\ufffdq_q\ufffdi\ufffd\ufffd\/\ufffdPD \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "4500 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "4500" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
17/06/2026 08:25:20 UTC	TCP	445 · SMB	smb	Sonde SMB smb probe · via SMB:445 · (sonde / probe)	Élevée	Faible · 30
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SMB WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_smb_probe smb_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 445 Chemin / cible — Service SMB Payload GET / HTTP/1.1 Host: 62.3.50.33:445 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 30 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:445 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:445 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000048", "emulator_response_len": 4, "bytes_in": 201, "payload_entropy": 5.373747495196941, "port_category": "well_known", "org": "CariNet, Inc.", "service": "smb", "app_proto": "smb", "asn": 10439, "country": "US", "dst_port": 445, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 46, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 46, "novelty": 15 }, "risk_score": 30, "tag_count": 4, "anomaly_count": 0, "campaign_key": "48fbaba61a4cdfac08fe679bfda2e53eaf019864", "event_fingerprint": "c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d", "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 46, "novelty": 15, "risk_score": 30 }, "named_classification_skipped": false, "service_name": "smb", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "42baa848a7f465ff3a21987e418a1520", "path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504" }, "target_context": { "dst_port": 445, "service": "smb", "service_name": "smb", "risk_score": 30 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:445\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:445\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:445\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:445\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:445\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b8fd6b879cec9290e4a40dc61e82a845ea2b704b", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:445\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:445\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "attack_vector": "smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 30\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 46, "novelty": 15, "risk_score": 30 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 30, "risk_label": "Faible", "service_name": "smb", "service_label_fr": "SMB", "dst_port": 445, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-smb", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:445\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:445\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "smb", "service_banner": "honeypot-smb", "service_os": "linux", "dst_port": "445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_smb_probe", "smb_emulated" ] }
17/06/2026 08:10:01 UTC	TCP	445 · SMB	smb	Sonde PostgreSQL postgres probe · via SMB:445 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 3f80116cf73b4082 Émulateur SMB WAF — Recommandation Surveiller Tags net_smb_probe smb_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 445 Chemin / cible — Service SMB Payload ��,��{�P��[�؏hL�l7��꺍�'� ��L�8��b�X�ē6x��.I��z�hs&{g ��+�/�,�0̨̩��/5 Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��,��{�P��[�؏hL�l7��꺍�'� ��L�8��b�X�ē6x��.I��z�hs&{g ��+�/�,�0̨̩��/5 Requête brute (extrait) ��,��{�P��[�؏hL�l7��꺍�'� ��L�8��b�X�ē6x��.I��z�hs&{g ��+�/�,�0̨̩��/5 # �+ 3&$ ـ���,�a4L�s>�g16~n�5Ղ1; Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000048", "emulator_response_len": 4, "bytes_in": 241, "payload_entropy": 5.879903994469049, "port_category": "well_known", "org": "CariNet, Inc.", "service": "smb", "app_proto": "smb", "asn": 10439, "country": "US", "dst_port": 445, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b221183d2a202f83c4965e0b4bf8178eecc7abdf", "event_fingerprint": "c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "smb", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7f47edeacf3226a9c24ac5c1996f9346", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "3f80116cf73b4082e6841b3767e8cd92", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "3f80116cf73b4082e6841b3767e8cd92", "tls_ja3": "771,51914-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 445, "service": "smb", "service_name": "smb", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffd\ufffd{\u001c\ufffdP\u001d\ufffd\ufffd\ufffd[\ufffd\u060f\u0004hL\ufffdl7\u001c\ufffd\ufffd\uae8d\ufffd'\ufffd \ufffd\ufffdL\ufffd8\ufffd\ufffd\ufffdb\ufffdX\ufffd\u01136x\ufffd\ufffd\ufffd.I\ufffd\ufffdz\ufffdhs&\u000e{g\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffd\ufffd{\u001c\ufffdP\u001d\ufffd\ufffd\ufffd[\ufffd\u060f\u0004hL\ufffdl7\u001c\ufffd\ufffd\uae8d\ufffd'\ufffd \ufffd\ufffdL\ufffd8\ufffd\ufffd\ufffdb\ufffdX\ufffd\u01136x\ufffd\ufffd\ufffd.I\ufffd\ufffdz\ufffdhs&\u000e{g\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0640\u0012\ufffd\ufffd\u001b\ufffd,\ufffda4L\ufffds>\u001f\ufffd\u001dg16~n\ufffd\u00055\u05421;", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffd\ufffd{\u001c\ufffdP\u001d\ufffd\ufffd\ufffd[\ufffd\u060f\u0004hL\ufffdl7\u001c\ufffd\ufffd\uae8d\ufffd'\ufffd \ufffd\ufffdL\ufffd8\ufffd\ufffd\ufffdb\ufffdX\ufffd\u01136x\ufffd\ufffd\ufffd.I\ufffd\ufffdz\ufffdhs&\u000e{g\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ed6afd2dab55a8b9bae329842b4926fd1788b92", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffd\ufffd{\u001c\ufffdP\u001d\ufffd\ufffd\ufffd[\ufffd\u060f\u0004hL\ufffdl7\u001c\ufffd\ufffd\uae8d\ufffd'\ufffd \ufffd\ufffdL\ufffd8\ufffd\ufffd\ufffdb\ufffdX\ufffd\u01136x\ufffd\ufffd\ufffd.I\ufffd\ufffdz\ufffdhs&\u000e{g\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "3f80116cf73b4082e6841b3767e8cd92", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "evidence_snippet": "\ufffd\ufffd\ufffd,\ufffd\ufffd\ufffd{\ufffdP\ufffd\ufffd\ufffd[\ufffd\u060fhL\ufffdl7\ufffd\ufffd\uae8d\ufffd'\ufffd \ufffd\ufffdL\ufffd8\ufffd\ufffd\ufffdb\ufffdX\ufffd\u01136x\ufffd\ufffd\ufffd.I\ufffd\ufffdz\ufffdhs&{g \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "smb", "service_label_fr": "SMB", "dst_port": 445, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-smb", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffd\ufffd{\u001c\ufffdP\u001d\ufffd\ufffd\ufffd[\ufffd\u060f\u0004hL\ufffdl7\u001c\ufffd\ufffd\uae8d\ufffd'\ufffd \ufffd\ufffdL\ufffd8\ufffd\ufffd\ufffdb\ufffdX\ufffd\u01136x\ufffd\ufffd\ufffd.I\ufffd\ufffdz\ufffdhs&\u000e{g\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "3f80116cf73b4082e6841b3767e8cd92", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "postgres probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd,\ufffd\ufffd\ufffd{\ufffdP\ufffd\ufffd\ufffd[\ufffd\u060fhL\ufffdl7\ufffd\ufffd\uae8d\ufffd'\ufffd \ufffd\ufffdL\ufffd8\ufffd\ufffd\ufffdb\ufffdX\ufffd\u01136x\ufffd\ufffd\ufffd.I\ufffd\ufffdz\ufffdhs&{g \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "smb", "service_banner": "honeypot-smb", "service_os": "linux", "dst_port": "445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_smb_probe", "smb_emulated", "tls_clienthello" ] }
17/06/2026 07:54:30 UTC	TCP	445 · SMB	smb	Sonde SMB smb probe · via SMB:445 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SMB WAF — Recommandation Surveiller Tags net_smb_probe smb_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 445 Chemin / cible — Service SMB Payload E�SMBrH"NT LM 0.12SMB 2.002SMB 2.??? Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) E�SMBrH"NT LM 0.12SMB 2.002SMB 2.??? Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000048", "emulator_response_len": 4, "bytes_in": 73, "payload_entropy": 3.2784639422638415, "port_category": "well_known", "org": "CariNet, Inc.", "service": "smb", "app_proto": "smb", "asn": 10439, "country": "US", "dst_port": 445, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 32, "tag_count": 2, "anomaly_count": 0, "campaign_key": "90eadff6383eb9d1d8f3257adde4c79c467b3287", "event_fingerprint": "c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 32 }, "service_name": "smb", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cd226f36ab872d41dd8ead2680b26e9e", "path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504" }, "target_context": { "dst_port": 445, "service": "smb", "service_name": "smb", "risk_score": 32 }, "payload_preview": "\u0000\u0000\u0000E\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\"\u0000\u0002NT LM 0.12\u0000\u0002SMB 2.002\u0000\u0002SMB 2.???\u0000", "request_sample": "\u0000\u0000\u0000E\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\"\u0000\u0002NT LM 0.12\u0000\u0002SMB 2.002\u0000\u0002SMB 2.???\u0000", "payload_snippet": "\u0000\u0000\u0000E\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\"\u0000\u0002NT LM 0.12\u0000\u0002SMB 2.002\u0000\u0002SMB 2.???\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000E\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\"\u0000\u0002NT LM 0.12\u0000\u0002SMB 2.002\u0000\u0002SMB 2.???\u0000", "payload_snippet": "\u0000\u0000\u0000E\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\"\u0000\u0002NT LM 0.12\u0000\u0002SMB 2.002\u0000\u0002SMB 2.???\u0000", "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5079c9faa392d2e78ff6180053ed59123d8d9456", "protocol_details": { "payload_preview": "\u0000\u0000\u0000E\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\"\u0000\u0002NT LM 0.12\u0000\u0002SMB 2.002\u0000\u0002SMB 2.???\u0000", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "evidence_snippet": "E\ufffdSMBrH\"NT LM 0.12SMB 2.002SMB 2.???", "attack_vector": "smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "smb", "service_label_fr": "SMB", "dst_port": 445, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-smb", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000E\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001H\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\"\u0000\u0002NT LM 0.12\u0000\u0002SMB 2.002\u0000\u0002SMB 2.???\u0000", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "evidence_snippet": "E\ufffdSMBrH\"NT LM 0.12SMB 2.002SMB 2.???", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "smb", "service_banner": "honeypot-smb", "service_os": "linux", "dst_port": "445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_smb_probe", "smb_emulated" ] }
17/06/2026 07:33:54 UTC	TCP	445 · SMB	smb	Sonde SMB smb probe · via SMB:445 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SMB WAF — Recommandation Surveiller Tags net_smb_probe smb_emulated smb_negotiate Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 445 Chemin / cible — Service SMB Payload f�SMB@$ Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) f�SMB@$ Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000048", "emulator_response_len": 4, "bytes_in": 106, "payload_entropy": 0.8705031002248842, "port_category": "well_known", "org": "CariNet, Inc.", "service": "smb", "app_proto": "smb", "asn": 10439, "country": "US", "dst_port": 445, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 32, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0a0771a3bdd8d70214fa68e3805e1b0eaa920ce5", "event_fingerprint": "c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 32 }, "service_name": "smb", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "912eecdef811ce36529a0be97c1931a5", "path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504" }, "target_context": { "dst_port": 445, "service": "smb", "service_name": "smb", "risk_score": 32 }, "payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0002", "evidence": { "request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0002", "payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0002", "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54a7b7691cd5906912565c5c66def0bda0cf2b53", "protocol_details": { "payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0002", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "evidence_snippet": "f\ufffdSMB@$", "attack_vector": "smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "smb", "service_label_fr": "SMB", "dst_port": 445, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-smb", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0002", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "evidence_snippet": "f\ufffdSMB@$", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "smb", "service_banner": "honeypot-smb", "service_os": "linux", "dst_port": "445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_smb_probe", "smb_emulated", "smb_negotiate" ] }
17/06/2026 01:11:04 UTC	TCP	5022 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:5022 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5022 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 43 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5022 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5022 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "b9aef645c382289bd792cf9fef8d36f7b83bee15", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.376817688493667, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 5022, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 43, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c1ee9424af58f75ed4c60fbd6f95812c2b6d3c98", "event_fingerprint": "b8b970094aa78944aa36fbfca16d634974d938e7", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "7173b8eca8230ff8a1d3d3f10930ba1f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5022, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bc982743acaad19e89e411d5e89aa64cf6bdef6b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 5022, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:5022 \u00b7 (tentative d'exploit)", "target_port_label": "5022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5022, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 5022, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:5022 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "5022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
17/06/2026 00:55:31 UTC	TCP	5022 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:5022 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 9a8ad6b5b1d8f38b Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5022 Chemin / cible — Service TLS Payload �� mW��kb{-y �K�� F�+S L31z�u��x#��]��pbN��O�� ::�+�/�,�0̨̩��/5 Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� mW��kb{-y �K�� F�+S L31z�u��x#��]��pbN��O�� ::�+�/�,�0̨̩��/5 Requête brute (extrait) �� mW��kb{-y �K�� F�+S L31z�u��x#��]��pbN��O�� ::�+�/�,�0̨̩��/5 # �+ 3&$ ��?�l-?"'�W�5�X�4&<V@W��j+2 Meta JSON brut { "tls_ja3_hash": "9a8ad6b5b1d8f38bb890e31df5c5eb62", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 2, "bytes_in": 241, "payload_entropy": 5.8063767158250466, "port_category": "registered", "org": "CariNet, Inc.", "service": "tls", "app_proto": "tls", "asn": 10439, "country": "US", "dst_port": 5022, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2361907cba445a25843ba2cdf5507a98cf79cd4d", "event_fingerprint": "44143c3f4afff7c12a31e960d8496546ee29d44a", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "9a8ad6b5b1d8f38bb890e31df5c5eb62", "payload_hash": "1b331a7d7e90611397867ec0af40e0f8", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,14906-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 5022, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013\ufffd \ufffdmW\u0000\ufffd\u0004\ufffdkb{-y \ufffdK\ufffd\ufffd\ufffd\ufffd\n\f\ufffd\ufffdF\ufffd\u0019+S \u001fL\u001131z\ufffdu\ufffd\ufffdx#\ufffd\ufffd\ufffd]\ufffd\ufffd\u001apbN\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffd\u0000 ::\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013\ufffd \ufffdmW\u0000\ufffd\u0004\ufffdkb{-y \ufffdK\ufffd\ufffd\ufffd\ufffd\n\f\ufffd\ufffdF\ufffd\u0019+S \u001fL\u001131z\ufffdu\ufffd\ufffdx#\ufffd\ufffd\ufffd]\ufffd\ufffd\u001apbN\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffd\u0000 ::\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0015?\ufffdl-?\"'\u0000\ufffdW\ufffd\u00045\ufffdX\ufffd4&<V@W\ufffd\ufffdj+2\b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013\ufffd \ufffdmW\u0000\ufffd\u0004\ufffdkb{-y \ufffdK\ufffd\ufffd\ufffd\ufffd\n\f\ufffd\ufffdF\ufffd\u0019+S \u001fL\u001131z\ufffdu\ufffd\ufffdx#\ufffd\ufffd\ufffd]\ufffd\ufffd\u001apbN\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffd\u0000 ::\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1119c03698ba76946f0e1fdda12948df9cac74e6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013\ufffd \ufffdmW\u0000\ufffd\u0004\ufffdkb{-y \ufffdK\ufffd\ufffd\ufffd\ufffd\n\f\ufffd\ufffdF\ufffd\u0019+S \u001fL\u001131z\ufffdu\ufffd\ufffdx#\ufffd\ufffd\ufffd]\ufffd\ufffd\u001apbN\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffd\u0000 ::\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "9a8ad6b5b1d8f38bb890e31df5c5eb62", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 5022, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd \ufffdmW\ufffd\ufffdkb{-y \ufffdK\ufffd\ufffd\ufffd\ufffd\n\ufffd\ufffdF\ufffd+S L31z\ufffdu\ufffd\ufffdx#\ufffd\ufffd\ufffd]\ufffd\ufffdpbN\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffd ::\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via TLS:5022 \u00b7 (sonde \/ probe)", "target_port_label": "5022 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 5022, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013\ufffd \ufffdmW\u0000\ufffd\u0004\ufffdkb{-y \ufffdK\ufffd\ufffd\ufffd\ufffd\n\f\ufffd\ufffdF\ufffd\u0019+S \u001fL\u001131z\ufffdu\ufffd\ufffdx#\ufffd\ufffd\ufffd]\ufffd\ufffd\u001apbN\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffd\u0000 ::\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "9a8ad6b5b1d8f38bb890e31df5c5eb62", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 5022, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:5022 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd \ufffdmW\ufffd\ufffdkb{-y \ufffdK\ufffd\ufffd\ufffd\ufffd\n\ufffd\ufffdF\ufffd+S L31z\ufffdu\ufffd\ufffdx#*\ufffd\ufffd\ufffd]\ufffd\ufffdpbN\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffd ::\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "5022 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "5022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
17/06/2026 00:40:09 UTC	TCP	5022 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:5022 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 Émulateur SSH WAF — Recommandation Investiguer Tags ssh_banner ssh_openssh ssh_openssh_9.2p1 Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5022 Chemin / cible — Service SSH Bannière SSH SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 Payload SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Signaux Cve 2024 6387 pat-0387 pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) OpenSSH banner SSH-2.0 banner RFC4253 User-Agent — Règles WAF — Payload (extrait) SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 Meta JSON brut { "bytes_in": 40, "payload_entropy": 4.384183719779188, "port_category": "registered", "org": "CariNet, Inc.", "service": "ssh", "app_proto": "ssh", "asn": 10439, "country": "US", "dst_port": 5022, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 50, "tag_count": 3, "anomaly_count": 0, "campaign_key": "da60e48566f58c132d9c971b2ffe6d729e08d0ae", "event_fingerprint": "17c54ed6fa933b8139a71957b003a1b04dd52cb5", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 219, "precision_signals": [ "INT-CVE-2024-6387", "pat-0387", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-CVE-2024-6387", "pat-0387", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0387", "pat-0391" ], "matched_pattern_names": [ "OpenSSH banner", "SSH-2.0 banner RFC4253" ], "pattern_ids": [ "pat-0387", "pat-0391" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "46384a6fdc24b76231fbfed2904ea63d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 5022, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n", "request_sample": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n", "payload_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "evidence": { "request_sample": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n", "payload_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1190" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a38b9739bc175a2dae0f1e6e662ebfe8aefafc80", "protocol_details": { "ssh_banner": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "payload_preview": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "port": 5022, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "attack_vector": "Sonde SSH \u00b7 via SSH:5022 \u00b7 (sonde \/ probe)", "target_port_label": "5022 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 5022, "protocol_emulated": null, "tags_summary": [ "INT-CVE-2024-6387", "pat-0387", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Cve 2024 6387", "pat-0387", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "payload_preview": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "port": 5022, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:5022 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "target_port_label": "5022 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "5022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "ssh_banner", "ssh_openssh", "ssh_openssh_9.2p1" ] }
16/06/2026 08:16:03 UTC	TCP	1900 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:1900 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1900 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "e1143f92b7eef38ba47bdc25166934e857915a18", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.37793433447972, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 1900, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "69592ef18c844fb560b38e9dcfb57be2ade7d6f7", "event_fingerprint": "be83c82a3f65a375207574817cf2a4c83a81ed8c", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "4507f500feff1aa30eaf9020407d5487", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1900, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d86005b676fde5de06f43b4e78ac76b2cac32427", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 1900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:1900 \u00b7 (tentative d'exploit)", "target_port_label": "1900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 1900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:1900 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "1900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 14:58:46 UTC	TCP	8008 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8008 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8008 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600", "emulator_response_len": 130, "http_header_count": 3, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "2f04469f58c087671b6a6ba85c59ddf7574837ab", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.37007299607523, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8008, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d27c93f347a4fce1766cb4e291904b4ecefdbc28", "event_fingerprint": "f18bef28092c3c3793abefd2132fe2f84d856d0b", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "bb623352f48be48a13a361f170856dd0", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8008, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f5e4e8cc5395984ca7bbc55bd7bbefdd1661d7c6", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8008 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8008, "protocol_emulated": true, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8008 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8008" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
15/06/2026 14:58:15 UTC	TCP	8008 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8008 · (tentative d'exploit)	Élevée	Moyen · 45
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8008 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 45 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "2f04469f58c087671b6a6ba85c59ddf7574837ab", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.385902851679902, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8008, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ef9987a617a2a6146a7604329b878d34cc3b3233", "event_fingerprint": "185d7bb07616422554e1f926743ef961b5eb7000", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "c5d8b0490f00d28bdac60cf2c7fab722", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8008, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "474930d8e3d43b9ff4201bf43a23f0659cca0fe9", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:8008 \u00b7 (tentative d'exploit)", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8008, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8008 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8008" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
15/06/2026 14:42:31 UTC	TCP	8008 · HTTP ALT 8008	http-alt-8008	Sonde PostgreSQL postgres probe · via HTTP ALT 8008:8008 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 db4699123d43b8c1 Émulateur HTTP-ALT-8008 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8008 Chemin / cible — Service HTTP ALT 8008 Payload ��"m�i��1/�Cq@��0��9�Zm�Ëtb�� C=C��'�y�F��9m��RD��-�%��p zz�+�/�,�0̨̩��/5 Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��"m�i��1/�Cq@��0��9�Zm�Ëtb�� C=C��'�y�F��9m��RD��-�%��p zz�+�/�,�0̨̩��/5 Requête brute (extrait) ��"m�i��1/�Cq@��0��9�Zm�Ëtb�� C=C��'�y�F��9m��RD��-�%��p zz�+�/�,�0̨̩��/5 # �+ 3&$ >ɏ�V/�aAQI��N�KV�R��^� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 241, "payload_entropy": 5.831143206400532, "port_category": "registered", "org": "CariNet, Inc.", "service": "http-alt-8008", "app_proto": "http-alt-8008", "asn": 10439, "country": "US", "dst_port": 8008, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "44b3f35faafd3524969073747a88a84f8d636a96", "event_fingerprint": "79a69c657f02dad35976cdc1182c80402d8997d5", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8008", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "990ad30a3a567c3a1ea479b77a269592", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "db4699123d43b8c183866c2af5f92755", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "db4699123d43b8c183866c2af5f92755", "tls_ja3": "771,31354-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8008, "service": "http-alt-8008", "service_name": "http-alt-8008", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"m\ufffdi\ufffd\ufffd1\/\ufffd\u0014Cq@\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd9\ufffdZm\ufffd\u00cbtb\ufffd\ufffd\ufffd \ufffdC=\u001eC\ufffd\ufffd'\ufffdy\ufffdF\ufffd\ufffd9\u001dm\ufffd\ufffd\ufffd\ufffdRD\ufffd\ufffd-\ufffd%\ufffd\ufffdp\u0000 zz\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"m\ufffdi\ufffd\ufffd1\/\ufffd\u0014Cq@\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd9\ufffdZm\ufffd\u00cbtb\ufffd\ufffd\ufffd \ufffdC=\u001eC\ufffd\ufffd'\ufffdy\ufffdF\ufffd\ufffd9\u001dm\ufffd\ufffd\ufffd\ufffdRD\ufffd\ufffd-\ufffd%\ufffd\ufffdp\u0000 zz\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 >\u024f\ufffdV\/\u0004\ufffdaAQI\ufffd\ufffd\ufffd\u001b\ufffdN\ufffdKV\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd\u001f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"m\ufffdi\ufffd\ufffd1\/\ufffd\u0014Cq@\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd9\ufffdZm\ufffd\u00cbtb\ufffd\ufffd\ufffd \ufffdC=\u001eC\ufffd\ufffd'\ufffdy\ufffdF\ufffd\ufffd9\u001dm\ufffd\ufffd\ufffd\ufffdRD\ufffd\ufffd-\ufffd%\ufffd\ufffdp\u0000 zz\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "21bce35a3011a73497a3906cc670cb7e72c03385", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"m\ufffdi\ufffd\ufffd1\/\ufffd\u0014Cq@\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd9\ufffdZm\ufffd\u00cbtb\ufffd\ufffd\ufffd \ufffdC=\u001eC\ufffd\ufffd'\ufffdy\ufffdF\ufffd\ufffd9\u001dm\ufffd\ufffd\ufffd\ufffdRD\ufffd\ufffd-\ufffd%\ufffd\ufffdp\u0000 zz\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "db4699123d43b8c183866c2af5f92755", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8008, "service": "http-alt-8008", "service_label_fr": "HTTP ALT 8008" }, "evidence_snippet": "\ufffd\ufffd\"m\ufffdi\ufffd\ufffd1\/\ufffdCq@\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd9\ufffdZm\ufffd\u00cbtb\ufffd\ufffd\ufffd \ufffdC=C\ufffd\ufffd'\ufffdy\ufffdF\ufffd\ufffd9m\ufffd\ufffd\ufffd\ufffdRD\ufffd\ufffd-\ufffd%\ufffd\ufffdp zz\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8008:8008 \u00b7 (sonde \/ probe)", "target_port_label": "8008 \u00b7 HTTP ALT 8008", "emulator_service": "http-alt-8008", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8008", "service_label_fr": "HTTP ALT 8008", "dst_port": 8008, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8008", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"m\ufffdi\ufffd\ufffd1\/\ufffd\u0014Cq@\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd9\ufffdZm\ufffd\u00cbtb\ufffd\ufffd\ufffd \ufffdC=\u001eC\ufffd\ufffd'\ufffdy\ufffdF\ufffd\ufffd9\u001dm\ufffd\ufffd\ufffd\ufffdRD\ufffd\ufffd-\ufffd%\ufffd\ufffdp\u0000 zz\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "db4699123d43b8c183866c2af5f92755", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8008, "service": "http-alt-8008", "service_label_fr": "HTTP ALT 8008" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8008:8008 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\"m\ufffdi\ufffd\ufffd1\/\ufffdCq@\ufffd\ufffd\ufffd\ufffd0\ufffd\ufffd9\ufffdZm\ufffd\u00cbtb\ufffd\ufffd\ufffd \ufffdC=C\ufffd\ufffd'\ufffdy\ufffdF\ufffd\ufffd9m\ufffd\ufffd\ufffd\ufffdRD\ufffd\ufffd-\ufffd%\ufffd\ufffdp zz\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "8008 \u00b7 HTTP ALT 8008", "emulator_service": "http-alt-8008", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8008", "service_banner": "honeypot-http-alt-8008", "service_os": "linux", "dst_port": "8008" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
15/06/2026 00:48:50 UTC	TCP	22 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:22 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 � �%cM�3o%�'&t�… Émulateur SSH WAF — Recommandation Investiguer Tags net_ssh_probe ssh_banner ssh_emulated ssh_kex_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Bannière SSH SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 � �%cM�3o%�'&t��curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sh… Payload SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 � �%cM�3o%�'&t��curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Client SSH libssh/paramiko (scanner) Cve 2024 6387 pat-0387 pat-0391 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) OpenSSH banner SSH-2.0 banner RFC4253 TFTP RRQ User-Agent — Règles WAF — Payload (extrait) SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 ��%cM�3o%�'&t��curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp Requête brute (extrait) SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 � �%cM�3o%�'&t��curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,c Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "bytes_in": 2072, "payload_entropy": 4.817715537946259, "port_category": "well_known", "org": "CariNet, Inc.", "service": "ssh", "app_proto": "ssh", "asn": 10439, "country": "US", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 50, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e644f21eee2a4bb09a3b5f9b0309d38618d1df3d", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 273, "precision_signals": [ "INT-ssh-libssh-ua", "INT-CVE-2024-6387", "pat-0387", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-ssh-libssh-ua", "INT-CVE-2024-6387", "pat-0387", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0387", "pat-0391", "pat-0536" ], "matched_pattern_names": [ "OpenSSH banner", "SSH-2.0 banner RFC4253", "TFTP RRQ" ], "pattern_ids": [ "pat-0387", "pat-0391", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0a7da3b205c0d907c8673c37137875fa", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\u0000\u0000\u0007\ufffd\f\u0014\ufffd%cM\ufffd3o%\ufffd\u0017\u0017\u0011'&t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp", "request_sample": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\u0000\u0000\u0007\ufffd\f\u0014\ufffd%cM\ufffd3o%\ufffd\u0017\u0017\u0011'&t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,c", "payload_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\u0000\u0000\u0007\ufffd\f\u0014\ufffd%cM\ufffd3o%\ufffd\u0017\u0017\u0011'&t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp", "evidence": { "request_sample": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\u0000\u0000\u0007\ufffd\f\u0014\ufffd%cM\ufffd3o%\ufffd\u0017\u0017\u0011'&t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,c", "payload_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\u0000\u0000\u0007\ufffd\f\u0014\ufffd%cM\ufffd3o%\ufffd\u0017\u0017\u0011'&t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1595", "T1190" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3bca51f9db4a256f46ac6ca45b8e4871f82c16e1", "protocol_details": { "ssh_banner": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\u0000\u0000\u0007\ufffd\f\u0014\ufffd%cM\ufffd3o%\ufffd\u0017\u0017\u0011'&t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp", "payload_preview": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\u0000\u0000\u0007\ufffd\f\u0014\ufffd%cM\ufffd3o%\ufffd\u0017\u0017\u0011'&t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\ufffd\ufffd%cM\ufffd3o%\ufffd'&t\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp", "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "INT-ssh-libssh-ua", "INT-CVE-2024-6387", "pat-0387", "pat-0391" ], "tags_summary_labels_fr": [ "Client SSH libssh\/paramiko (scanner)", "Cve 2024 6387", "pat-0387", "pat-0391" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\u0000\u0000\u0007\ufffd\f\u0014\ufffd%cM\ufffd3o%\ufffd\u0017\u0017\u0011'&t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp", "payload_preview": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\u0000\u0000\u0007\ufffd\f\u0014\ufffd%cM\ufffd3o%\ufffd\u0017\u0017\u0011'&t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp", "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n\ufffd\ufffd%cM\ufffd3o%\ufffd'&t\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh", "ssh_openssh", "ssh_openssh_9.2p1" ] }
15/06/2026 00:15:46 UTC	TCP	1337 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:1337 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1337 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1337 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1337 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "e970e1123d345de9d5824e11de9cdb81bcedfb97", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.361095375392516, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 1337, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b4762be713e06c45b84a3bea4ee0b11fbebc7108", "event_fingerprint": "237767dba29c60c52aa388921042b312827b2136", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "863bdf195e9c9b89e96c878238b2cc9b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1337, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1337\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1337\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1337\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1337\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1337\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e6736d30638b60d4ff0a6209c1d0258beace13f6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 1337, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1337\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:1337 \u00b7 (tentative d'exploit)", "target_port_label": "1337 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1337, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 1337, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:1337 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1337\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "1337 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1337" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 00:00:10 UTC	TCP	1337 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:1337 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 6e707ec63a6981f8 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1337 Chemin / cible — Service TLS Payload ��"�R��Ͽh�^#Wǁ��ݛN斘m 0�2��'Dm��q�s5ծ�)\|A�µT �+�/�,�0̨̩��/5 Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��"�R��Ͽh�^#Wǁ��ݛN斘m 0�2��'Dm��q�s5ծ�)\|A�µT �+�/�,�0̨̩��/5 Requête brute (extrait) ��"�R��Ͽh�^#Wǁ��ݛN斘m 0�2��'Dm��q�s5ծ�)\|A�µT *�+�/�,�0̨̩��/5 # �+ 3&$ r��wI&W�/��I��#E5�nG< Meta JSON brut { "tls_ja3_hash": "6e707ec63a6981f8e6072a6e3c37c9dc", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 2, "bytes_in": 241, "payload_entropy": 5.8696782955200435, "port_category": "registered", "org": "CariNet, Inc.", "service": "tls", "app_proto": "tls", "asn": 10439, "country": "US", "dst_port": 1337, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c432e4df5b120f4201c0ee899ebb11e5a8dacff8", "event_fingerprint": "a40c6da51d36ffa912ea454810b8376424a97f9a", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "6e707ec63a6981f8e6072a6e3c37c9dc", "payload_hash": "e26e5c3be17d50b5d81ff3db2ee0e0e1", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,10794-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 1337, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdR\ufffd\ufffd\u03ffh\ufffd^#W\u01c1\ufffd\ufffd\ufffd\ufffd\u001f\u0006\ufffd\ufffd\u000e\u0017\u075bN\u6598m 0\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'Dm\ufffd\ufffdq\ufffds5\u056e\ufffd)\|A\ufffd\u00b5T\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdR\ufffd\ufffd\u03ffh\ufffd^#W\u01c1\ufffd\ufffd\ufffd\ufffd\u001f\u0006\ufffd\ufffd\u000e\u0017\u075bN\u6598m 0\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'Dm\ufffd\ufffdq\ufffds5\u056e\ufffd)\|A\ufffd\u00b5T\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 r\ufffd\u0012\ufffd\u0019wI&W\u0004\ufffd\/\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffd\u001b\ufffd\ufffd\u0011#E5\ufffdnG\u0013<", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdR\ufffd\ufffd\u03ffh\ufffd^#W\u01c1\ufffd\ufffd\ufffd\ufffd\u001f\u0006\ufffd\ufffd\u000e\u0017\u075bN\u6598m 0\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'Dm\ufffd\ufffdq\ufffds5\u056e\ufffd)\|A\ufffd\u00b5T\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "768c37d59a23f4e952a3bfa143df6c5e6074cc2d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdR\ufffd\ufffd\u03ffh\ufffd^#W\u01c1\ufffd\ufffd\ufffd\ufffd\u001f\u0006\ufffd\ufffd\u000e\u0017\u075bN\u6598m 0\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'Dm\ufffd\ufffdq\ufffds5\u056e\ufffd)\|A\ufffd\u00b5T\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "6e707ec63a6981f8e6072a6e3c37c9dc", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 1337, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\"\ufffdR\ufffd\ufffd\u03ffh\ufffd^#W\u01c1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u075bN\u6598m 0\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'Dm\ufffd\ufffdq\ufffds5\u056e\ufffd)\|A\ufffd\u00b5T \ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via TLS:1337 \u00b7 (sonde \/ probe)", "target_port_label": "1337 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 1337, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffdR\ufffd\ufffd\u03ffh\ufffd^#W\u01c1\ufffd\ufffd\ufffd\ufffd\u001f\u0006\ufffd\ufffd\u000e\u0017\u075bN\u6598m 0\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'Dm\ufffd\ufffdq\ufffds5\u056e\ufffd)\|A\ufffd\u00b5T\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "6e707ec63a6981f8e6072a6e3c37c9dc", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 1337, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:1337 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\"\ufffdR\ufffd\ufffd\u03ffh\ufffd^#W\u01c1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u075bN\u6598m 0\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'Dm\ufffd\ufffdq\ufffds5\u056e\ufffd)\|A\ufffd\u00b5T *\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "1337 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "1337" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
14/06/2026 23:44:32 UTC	TCP	1337 · SSH	ssh	Sonde SSH Sonde SSH · via SSH:1337 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole SSH SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 Émulateur SSH WAF — Recommandation Investiguer Tags ssh_banner ssh_openssh ssh_openssh_9.2p1 Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1337 Chemin / cible — Service SSH Bannière SSH SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 Payload SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Signaux Cve 2024 6387 pat-0387 pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) OpenSSH banner SSH-2.0 banner RFC4253 User-Agent — Règles WAF — Payload (extrait) SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 Meta JSON brut { "bytes_in": 40, "payload_entropy": 4.384183719779188, "port_category": "registered", "org": "CariNet, Inc.", "service": "ssh", "app_proto": "ssh", "asn": 10439, "country": "US", "dst_port": 1337, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 50, "tag_count": 3, "anomaly_count": 0, "campaign_key": "4dfcc1db479dc9052a9023e9edc06ac1a81f3343", "event_fingerprint": "6113ffac56a31cde3a01b38f7d6417ad5f5e5782", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 219, "precision_signals": [ "INT-CVE-2024-6387", "pat-0387", "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "INT-CVE-2024-6387", "pat-0387", "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0387", "pat-0391" ], "matched_pattern_names": [ "OpenSSH banner", "SSH-2.0 banner RFC4253" ], "pattern_ids": [ "pat-0387", "pat-0391" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "46384a6fdc24b76231fbfed2904ea63d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 1337, "service": "ssh", "service_name": "ssh", "risk_score": 50 }, "payload_preview": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n", "request_sample": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n", "payload_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "evidence": { "request_sample": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7\r\n", "payload_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046", "T1190" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9986072b83e04ff32cab672487e701134582ad44", "protocol_details": { "ssh_banner": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "payload_preview": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "port": 1337, "service": "ssh", "service_label_fr": "SSH" }, "evidence_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "attack_vector": "Sonde SSH \u00b7 via SSH:1337 \u00b7 (sonde \/ probe)", "target_port_label": "1337 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 1337, "protocol_emulated": null, "tags_summary": [ "INT-CVE-2024-6387", "pat-0387", "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "Cve 2024 6387", "pat-0387", "pat-0391", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "ssh_banner": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "payload_preview": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "port": 1337, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "Sonde SSH \u00b7 via SSH:1337 \u00b7 (sonde \/ probe)", "evidence_snippet": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7", "target_port_label": "1337 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "1337" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "ssh_banner", "ssh_openssh", "ssh_openssh_9.2p1" ] }
14/06/2026 18:52:38 UTC	TCP	8081 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8081 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600", "emulator_response_len": 130, "http_header_count": 3, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.374913441014935, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8081, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "33f56cf6a54fcad8c112e45f7dedaacd90364ef2", "event_fingerprint": "6b2744eafce7982240997f43efc34e8e52158997", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "5685045a4d0d7e6b7fb8eb0d3e988337", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "304f8eceda93f04391e5fbe5550cd76480dda1f8", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
14/06/2026 18:52:08 UTC	TCP	8081 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8081 · (tentative d'exploit)	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.39045574543507, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8081, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "91641af73e5a2129931417917b9efcb79fd24137", "event_fingerprint": "e655cce1d5fb43c4d97a30acd0b655feb29cad21", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "0113ed82e8af0f8eae23ce6d182cf926", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac12a6a52243617004923b05f32e3e69051d41dc", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit)", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8081 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
14/06/2026 18:36:12 UTC	TCP	8081 · HTTP ALT 8081	http-alt-8081	Sonde PostgreSQL postgres probe · via HTTP ALT 8081:8081 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 9a1295b1a16bff82 Émulateur HTTP-ALT-8081 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8081 Chemin / cible — Service HTTP ALT 8081 Payload ��\|�@��3��'v��L�'�S�\|�ְ� ��E�Pf�@�D9�Ī@��ly��{3w�"� JJ�+�/�,�0̨̩��/5 Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��\|�@��3��'v��L�'�S�\|�ְ� ��E�Pf�@�D9�Ī@��ly��{3w�"� JJ�+�/�,�0̨̩��/5 Requête brute (extrait) ��\|�@��3��'v��L�'�S�\|�ְ� ��E�Pf�@�D9�Ī@��ly��{3w�"� JJ�+�/�,�0̨̩��/5 # �+ 3&$ ��8q×��O��v�ү��r�^7�X? Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 241, "payload_entropy": 5.868916663030243, "port_category": "registered", "org": "CariNet, Inc.", "service": "http-alt-8081", "app_proto": "http-alt-8081", "asn": 10439, "country": "US", "dst_port": 8081, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "929e68b705f9838a7da7b1cddb73ebe75654e59f", "event_fingerprint": "1023f61ccc055c445b71c912dbddfda91b08657e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8081", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8a5f75d47a5fc9b0227199fcdce75060", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "9a1295b1a16bff82238115de0f1caecf", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "9a1295b1a16bff82238115de0f1caecf", "tls_ja3": "771,19018-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8081, "service": "http-alt-8081", "service_name": "http-alt-8081", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\|\ufffd@\ufffd\ufffd3\ufffd\ufffd'v\ufffd\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffd'\ufffdS\ufffd\|\ufffd\u05b0\ufffd \ufffd\ufffd\ufffd\ufffdE\ufffdPf\ufffd@\ufffdD9\ufffd\u012a@\ufffd\ufffd\ufffd\ufffd\bly\ufffd\ufffd{3w\ufffd\"\ufffd\u0000 JJ\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\|\ufffd@\ufffd\ufffd3\ufffd\ufffd'v\ufffd\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffd'\ufffdS\ufffd\|\ufffd\u05b0\ufffd \ufffd\ufffd\ufffd\ufffdE\ufffdPf\ufffd@\ufffdD9\ufffd\u012a@\ufffd\ufffd\ufffd\ufffd\bly\ufffd\ufffd{3w\ufffd\"\ufffd\u0000 JJ\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd8q\u00d7\ufffd\ufffd\ufffd\ufffdO\ufffd\u0013\ufffd\ufffd\ufffdv\ufffd\u04af\ufffd\ufffd\ufffdr\ufffd^7\u001d\ufffdX?", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\|\ufffd@\ufffd\ufffd3\ufffd\ufffd'v\ufffd\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffd'\ufffdS\ufffd\|\ufffd\u05b0\ufffd \ufffd\ufffd\ufffd\ufffdE\ufffdPf\ufffd@\ufffdD9\ufffd\u012a@\ufffd\ufffd\ufffd\ufffd\bly\ufffd\ufffd{3w\ufffd\"\ufffd\u0000 JJ\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ff6092531cfc85aeefc899d542327fb1bbd6f91a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\|\ufffd@\ufffd\ufffd3\ufffd\ufffd'v\ufffd\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffd'\ufffdS\ufffd\|\ufffd\u05b0\ufffd \ufffd\ufffd\ufffd\ufffdE\ufffdPf\ufffd@\ufffdD9\ufffd\u012a@\ufffd\ufffd\ufffd\ufffd\bly\ufffd\ufffd{3w\ufffd\"\ufffd\u0000 JJ\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "9a1295b1a16bff82238115de0f1caecf", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\|\ufffd@\ufffd\ufffd3\ufffd\ufffd'v\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffd'\ufffdS\ufffd\|\ufffd\u05b0\ufffd \ufffd\ufffd\ufffd\ufffdE\ufffdPf\ufffd@\ufffdD9\ufffd\u012a@\ufffd\ufffd\ufffd\ufffdly\ufffd\ufffd{3w\ufffd\"\ufffd JJ\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)", "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8081", "service_label_fr": "HTTP ALT 8081", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8081", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\|\ufffd@\ufffd\ufffd3\ufffd\ufffd'v\ufffd\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffd'\ufffdS\ufffd\|\ufffd\u05b0\ufffd \ufffd\ufffd\ufffd\ufffdE\ufffdPf\ufffd@\ufffdD9\ufffd\u012a@\ufffd\ufffd\ufffd\ufffd\bly\ufffd\ufffd{3w\ufffd\"\ufffd\u0000 JJ\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "9a1295b1a16bff82238115de0f1caecf", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\|\ufffd@\ufffd\ufffd3\ufffd\ufffd'v\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffd'\ufffdS\ufffd\|\ufffd\u05b0\ufffd \ufffd\ufffd\ufffd\ufffdE\ufffdPf\ufffd@\ufffdD9\ufffd\u012a@\ufffd\ufffd\ufffd\ufffdly\ufffd\ufffd{3w\ufffd\"\ufffd JJ\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8081", "service_banner": "honeypot-http-alt-8081", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
14/06/2026 11:17:19 UTC	TCP	9090 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:9090 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600", "emulator_response_len": 130, "http_header_count": 3, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "6252543ba3eb2998668ea356c7da6ab747cb08d7", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.37007299607523, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 9090, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1f8759a0e0560315629a38b5e9d59ae4cf9944cf", "event_fingerprint": "544dc0fe00c4319033ac194aa454357b3d8491ac", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "d6cd0002a2590e93dc60558a4f3e2881", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9be680a89ec0780cee113983e75f2c9e839551be", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 9090, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "Sonde HTTP \u00b7 via HTTP:9090 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "9090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9090, "protocol_emulated": true, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 9090, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:9090 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "9090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
14/06/2026 11:16:59 UTC	TCP	9090 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:9090 · (tentative d'exploit)	Élevée	Moyen · 45
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 45 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "6252543ba3eb2998668ea356c7da6ab747cb08d7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.385902851679902, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 9090, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "33b9986310f627411be5954a50b21c0dd18be6cd", "event_fingerprint": "21d478b01b65a92acaf01fb8e864bf215ffb4b49", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "54aac05bc392a60a4211013bf32ba35d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4e55abdb2609a935bb60973338b6b2eb612d3d0a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 9090, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:9090 \u00b7 (tentative d'exploit)", "target_port_label": "9090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9090, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 9090, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:9090 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "9090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
14/06/2026 10:26:03 UTC	TCP	9090 · PROMETHEUS	prometheus	Sonde PostgreSQL postgres probe · via PROMETHEUS:9090 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 8325ea77b93f33be Émulateur PROMETHEUS WAF — Recommandation Surveiller Tags net_prometheus_probe prometheus_emulated prometheus_payload tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9090 Chemin / cible — Service PROMETHEUS Payload ��-w��׵+��\|��1��&�gw�4�d�) ā#x{O�LB�F@m�J:�Tk�O8%��M=� ��+�/�,�0̨̩��/5 Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��-w��׵+��\|��1��&�gw�4�d�) ā#x{O�LB�F@m�J:�Tk�O8%��M=� ��+�/�,�0̨̩��/5 Requête brute (extrait) ��-w��׵+��\|��1��&�gw�4�d�) ā#x{O�LB�F@m�J:�Tk�O8%��M=� ��+�/�,�0̨̩��/5 # �+ 3&$ dm�!Heg7H��sxkװ]<ނo�!T]U�6�B Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "bytes_in": 241, "payload_entropy": 5.820960614416777, "port_category": "registered", "org": "CariNet, Inc.", "service": "prometheus", "app_proto": "prometheus", "asn": 10439, "country": "US", "dst_port": 9090, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b3e2c800e4c98f207922eb467c32121967f4367e", "event_fingerprint": "0eec163002b831506dcf25bef54af6abd6b14766", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "prometheus", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "47a63994b449cdcc36b4ae9b957f7c45", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "8325ea77b93f33be4d29ac9cf18e23a8", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "8325ea77b93f33be4d29ac9cf18e23a8", "tls_ja3": "771,56026-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9090, "service": "prometheus", "service_name": "prometheus", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\b-w\ufffd\ufffd\u05f5+\ufffd\ufffd\|\ufffd\ufffd\ufffd1\u001b\ufffd\ufffd\ufffd&\ufffdgw\ufffd4\ufffdd\ufffd) \u0101#\u0005x{O\ufffdLB\ufffdF@m\ufffdJ:\ufffdTk\ufffdO8\u001f%\u0012\ufffd\ufffdM=\u0000\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\b-w\ufffd\ufffd\u05f5+\ufffd\ufffd\|\ufffd\ufffd\ufffd1\u001b\ufffd\ufffd\ufffd&\ufffdgw\ufffd4\ufffdd\ufffd) \u0101#\u0005x{O\ufffdLB\ufffdF@m\ufffdJ:\ufffdTk\ufffdO8\u001f%\u0012\ufffd\ufffdM=\u0000\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 dm\ufffd!Heg7H\ufffd\ufffdsxk\u05f0]<\u0782o\ufffd!T]U\ufffd6\ufffdB", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\b-w\ufffd\ufffd\u05f5+\ufffd\ufffd\|\ufffd\ufffd\ufffd1\u001b\ufffd\ufffd\ufffd&\ufffdgw\ufffd4\ufffdd\ufffd) \u0101#\u0005x{O\ufffdLB\ufffdF@m\ufffdJ:\ufffdTk\ufffdO8\u001f%\u0012\ufffd\ufffdM=\u0000\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1c41ce5be1bdf1bfe020b3c8312896b53752dbba", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\b-w\ufffd\ufffd\u05f5+\ufffd\ufffd\|\ufffd\ufffd\ufffd1\u001b\ufffd\ufffd\ufffd&\ufffdgw\ufffd4\ufffdd\ufffd) \u0101#\u0005x{O\ufffdLB\ufffdF@m\ufffdJ:\ufffdTk\ufffdO8\u001f%\u0012\ufffd\ufffdM=\u0000\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "8325ea77b93f33be4d29ac9cf18e23a8", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 9090, "service": "prometheus", "service_label_fr": "PROMETHEUS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd-w\ufffd\ufffd\u05f5+\ufffd\ufffd\|\ufffd\ufffd\ufffd1\ufffd\ufffd\ufffd&\ufffdgw\ufffd4\ufffdd\ufffd) \u0101#x{O\ufffdLB\ufffdF@m\ufffdJ:\ufffdTk\ufffdO8%\ufffd\ufffdM=\ufffd \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via PROMETHEUS:9090 \u00b7 (sonde \/ probe)", "target_port_label": "9090 \u00b7 PROMETHEUS", "emulator_service": "prometheus", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "prometheus", "service_label_fr": "PROMETHEUS", "dst_port": 9090, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-prometheus", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\b-w\ufffd\ufffd\u05f5+\ufffd\ufffd\|\ufffd\ufffd\ufffd1\u001b\ufffd\ufffd\ufffd&\ufffdgw\ufffd4\ufffdd\ufffd) \u0101#\u0005x{O\ufffdLB\ufffdF@m\ufffdJ:\ufffdTk\ufffdO8\u001f%\u0012\ufffd\ufffdM=\u0000\ufffd\u0000 \ufffd\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "8325ea77b93f33be4d29ac9cf18e23a8", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 9090, "service": "prometheus", "service_label_fr": "PROMETHEUS" }, "attack_vector": "postgres probe \u00b7 via PROMETHEUS:9090 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd-w\ufffd\ufffd\u05f5+\ufffd\ufffd\|\ufffd\ufffd\ufffd1\ufffd\ufffd\ufffd&\ufffdgw\ufffd4\ufffdd\ufffd) \u0101#x{O\ufffdLB\ufffdF@m\ufffdJ:\ufffdTk\ufffdO8%\ufffd\ufffdM=\ufffd \ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "9090 \u00b7 PROMETHEUS", "emulator_service": "prometheus", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "prometheus", "service_banner": "honeypot-prometheus", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_prometheus_probe", "prometheus_emulated", "prometheus_payload", "tls_clienthello" ] }
14/06/2026 09:41:52 UTC	TCP	8009 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8009 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8009 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8009 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8009 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600", "emulator_response_len": 130, "http_header_count": 3, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "7309885c09d2fdd4bd8fad5ee4a09d33022b5e58", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.380599311864703, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8009, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1b1dc356d146b68420ecd0a898904a6b4f772435", "event_fingerprint": "c6d4c9f6ac4e313379e139e1264de122966a4b12", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "7f553fc823fa2d11074ef9465a88242a", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8009, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f2789b5e4963f913ffb91e47a4670437e890181", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8009, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8009 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "8009 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8009, "protocol_emulated": true, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8009, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8009 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8009 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8009" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
14/06/2026 09:41:23 UTC	TCP	8009 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8009 · (tentative d'exploit)	Élevée	Moyen · 45
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8009 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 45 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8009 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8009 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e1bd552d7c59ac5400a54b2a889e10afc4986d30", "http_host_hash": "7309885c09d2fdd4bd8fad5ee4a09d33022b5e58", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.395803841778911, "port_category": "registered", "org": "CariNet, Inc.", "service": "http", "app_proto": "http", "asn": 10439, "country": "US", "dst_port": 8009, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "e5e7d1fde4f1d90d23a82d2cebcec1dc2659a8a8", "event_fingerprint": "e2e50ec6b84c4699fc85a2c811b0def81cf1a2a4", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1bcc9eae1df41fe351c44a7626592eb7", "payload_hash": "c86b9db3b7837c98f590d0cd9cc99c41", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8009, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a28fc728243ae36021c5606a7960558fc3485513", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8009, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:8009 \u00b7 (tentative d'exploit)", "target_port_label": "8009 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8009, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/133.0.0.0 Safari\/537.36", "port": 8009, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8009 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8009\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "8009 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8009" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
14/06/2026 09:25:46 UTC	TCP	8009 · AJP	ajp	Sonde PostgreSQL postgres probe · via AJP:8009 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 6e707ec63a6981f8 Émulateur AJP WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8009 Chemin / cible — Service AJP Payload ��!��Z��TS�Q<x-�<��@�� eY�Q�.>n�Ӻ��u�ՙ��y��ks'g� �+�/�,�0̨̩��/5 Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��!��Z��TS�Q<x-�<��@�� eY�Q�.>n�Ӻ��u�ՙ��y��ks'g� �+�/�,�0̨̩��/5 Requête brute (extrait) ��!��Z��TS�Q<x-�<��@�� eY�Q�.>n�Ӻ��u�ՙ��y��ks'g� *�+�/�,�0̨̩��/5 # �+ 3&$ b.�Yo�0�:S�NO/;B-��N�[���� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 241, "payload_entropy": 5.832386345032603, "port_category": "registered", "org": "CariNet, Inc.", "service": "ajp", "app_proto": "ajp", "asn": 10439, "country": "US", "dst_port": 8009, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "426928ae319246096b6658ba89d664d58daa6626", "event_fingerprint": "fdfe6413350ff03e54754d0ef16a054e66f1168b", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "ajp", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 10439, "org": "CariNet, Inc.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4db3519ea96a9eaba1cdab8e8c92cbb2", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "6e707ec63a6981f8e6072a6e3c37c9dc", "ja4": "0b693e37f8b0804d1b83cc587978e645", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "6e707ec63a6981f8e6072a6e3c37c9dc", "tls_ja3": "771,10794-4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,5-10-11-35-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "0b693e37f8b0804d1b83cc587978e645", "tls_ja4": "t13d0116_18f59fb8566e_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 16, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8009, "service": "ajp", "service_name": "ajp", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a!\ufffd\ufffd\ufffdZ\ufffd\ufffd\u000f\u001d\ufffdTS\u0012\u0002\ufffdQ<x-\ufffd<\ufffd\ufffd\ufffd\u0013@\ufffd\ufffd\ufffd\ufffd eY\u001f\u001a\ufffdQ\ufffd.>n\ufffd\u04fa\ufffd\ufffd\u0013\ufffdu\ufffd\u0559\ufffd\u0005\ufffdy\ufffd\ufffdks'g\ufffd\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a!\ufffd\ufffd\ufffdZ\ufffd\ufffd\u000f\u001d\ufffdTS\u0012\u0002\ufffdQ<x-\ufffd<\ufffd\ufffd\ufffd\u0013@\ufffd\ufffd\ufffd\ufffd eY\u001f\u001a\ufffdQ\ufffd.>n\ufffd\u04fa\ufffd\ufffd\u0013\ufffdu\ufffd\u0559\ufffd\u0005\ufffdy\ufffd\ufffdks'g\ufffd\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 b.\ufffdYo\u0018\ufffd0\ufffd:S\ufffdNO\/;B-\u000f\ufffd\ufffd\ufffdN\ufffd[\ufffd\ufffd\ufffd\ufffd\u0013", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a!\ufffd\ufffd\ufffdZ\ufffd\ufffd\u000f\u001d\ufffdTS\u0012\u0002\ufffdQ<x-\ufffd<\ufffd\ufffd\ufffd\u0013@\ufffd\ufffd\ufffd\ufffd eY\u001f\u001a\ufffdQ\ufffd.>n\ufffd\u04fa\ufffd\ufffd\u0013\ufffdu\ufffd\u0559\ufffd\u0005\ufffdy\ufffd\ufffdks'g\ufffd\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "50df7ecf9b0300d9e47f61d799c0a12eb99873f2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a!\ufffd\ufffd\ufffdZ\ufffd\ufffd\u000f\u001d\ufffdTS\u0012\u0002\ufffdQ<x-\ufffd<\ufffd\ufffd\ufffd\u0013@\ufffd\ufffd\ufffd\ufffd eY\u001f\u001a\ufffdQ\ufffd.>n\ufffd\u04fa\ufffd\ufffd\u0013\ufffdu\ufffd\u0559\ufffd\u0005\ufffdy\ufffd\ufffdks'g\ufffd\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "6e707ec63a6981f8e6072a6e3c37c9dc", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8009, "service": "ajp", "service_label_fr": "AJP" }, "evidence_snippet": "\ufffd\ufffd!\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffdTS\ufffdQ<x-\ufffd<\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd eY\ufffdQ\ufffd.>n\ufffd\u04fa\ufffd\ufffd\ufffdu\ufffd\u0559\ufffd\ufffdy\ufffd\ufffdks'g\ufffd \ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "attack_vector": "postgres probe \u00b7 via AJP:8009 \u00b7 (sonde \/ probe)", "target_port_label": "8009 \u00b7 AJP", "emulator_service": "ajp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "ajp", "service_label_fr": "AJP", "dst_port": 8009, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ajp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001a!\ufffd\ufffd\ufffdZ\ufffd\ufffd\u000f\u001d\ufffdTS\u0012\u0002\ufffdQ<x-\ufffd<\ufffd\ufffd\ufffd\u0013@\ufffd\ufffd\ufffd\ufffd eY\u001f\u001a\ufffdQ\ufffd.>n\ufffd\u04fa\ufffd\ufffd\u0013\ufffdu\ufffd\u0559\ufffd\u0005\ufffdy\ufffd\ufffdks'g\ufffd\u0000 \u0013\u0001\u0013\u0002\u0013\u0003\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\u0013\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000", "tls_ja3": "6e707ec63a6981f8e6072a6e3c37c9dc", "tls_ja4": "0b693e37f8b0804d1b83cc587978e645", "port": 8009, "service": "ajp", "service_label_fr": "AJP" }, "attack_vector": "postgres probe \u00b7 via AJP:8009 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd!\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffdTS\ufffdQ<x-\ufffd<\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd eY\ufffdQ\ufffd.>n\ufffd\u04fa\ufffd\ufffd\ufffdu\ufffd\u0559\ufffd\ufffdy\ufffd\ufffdks'g\ufffd *\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\/5", "target_port_label": "8009 \u00b7 AJP", "emulator_service": "ajp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ajp", "service_banner": "honeypot-ajp", "service_os": "linux", "dst_port": "8009" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }

71.6.134.204

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence