|
|
TCP |
8744 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:8744 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8744
Chemin / cible
—
Service
TLS
Payload
�����������{�c�������M Z��\��h����N N���Hg� f�0�s�?��� ϐΟD���f�J�������\� �\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������{�c�������M Z��\��h����N�N���Hg� f�0�s�?��� ϐΟD���f�J�������\���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�����������{�c�������M Z��\��h����N N���Hg� f�0�s�?��� ϐΟD���f�J�������\� �\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.294551206855051,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 8744,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "37b68e23fad3e6951198f8c7215cb6f14a6c286e",
"event_fingerprint": "b21205c71ab2ee6454bba974b89dfb6c3b34504c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "ce6fd80f41061ebe873091f0aa016aa0",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8744,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003{\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\u0019\ufffdM Z\u0018\u0018\\\ufffd\ufffdh\ufffd\ufffd\u001f\ufffdN\fN\u0010\u0003\u0016Hg\ufffd f\ufffd0\u0003s\ufffd?\ufffd\ufffd\ufffd \u03d0\u039fD\ufffd\ufffd\ufffdf\ufffdJ\ufffd\ufffd\ufffd\ufffd\u0015\u0011\u0018\\\ufffd\f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003{\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\u0019\ufffdM Z\u0018\u0018\\\ufffd\ufffdh\ufffd\ufffd\u001f\ufffdN\fN\u0010\u0003\u0016Hg\ufffd f\ufffd0\u0003s\ufffd?\ufffd\ufffd\ufffd \u03d0\u039fD\ufffd\ufffd\ufffdf\ufffdJ\ufffd\ufffd\ufffd\ufffd\u0015\u0011\u0018\\\ufffd\f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003{\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\u0019\ufffdM Z\u0018\u0018\\\ufffd\ufffdh\ufffd\ufffd\u001f\ufffdN\fN\u0010\u0003\u0016Hg\ufffd f\ufffd0\u0003s\ufffd?\ufffd\ufffd\ufffd \u03d0\u039fD\ufffd\ufffd\ufffdf\ufffdJ\ufffd\ufffd\ufffd\ufffd\u0015\u0011\u0018\\\ufffd\f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "68432808efff8574c97616fcc85cd75dd3fb8a8b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003{\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\u0019\ufffdM Z\u0018\u0018\\\ufffd\ufffdh\ufffd\ufffd\u001f\ufffdN\fN\u0010\u0003\u0016Hg\ufffd f\ufffd0\u0003s\ufffd?\ufffd\ufffd\ufffd \u03d0\u039fD\ufffd\ufffd\ufffdf\ufffdJ\ufffd\ufffd\ufffd\ufffd\u0015\u0011\u0018\\\ufffd\f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8744,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd{\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM Z\\\ufffd\ufffdh\ufffd\ufffd\ufffdNNHg\ufffd f\ufffd0s\ufffd?\ufffd\ufffd\ufffd \u03d0\u039fD\ufffd\ufffd\ufffdf\ufffdJ\ufffd\ufffd\ufffd\ufffd\\\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:8744 \u00b7 (sonde \/ probe)",
"target_port_label": "8744 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8744,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003{\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\u0019\ufffdM Z\u0018\u0018\\\ufffd\ufffdh\ufffd\ufffd\u001f\ufffdN\fN\u0010\u0003\u0016Hg\ufffd f\ufffd0\u0003s\ufffd?\ufffd\ufffd\ufffd \u03d0\u039fD\ufffd\ufffd\ufffdf\ufffdJ\ufffd\ufffd\ufffd\ufffd\u0015\u0011\u0018\\\ufffd\f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8744,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:8744 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd{\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM Z\\\ufffd\ufffdh\ufffd\ufffd\ufffdNNHg\ufffd f\ufffd0s\ufffd?\ufffd\ufffd\ufffd \u03d0\u039fD\ufffd\ufffd\ufffdf\ufffdJ\ufffd\ufffd\ufffd\ufffd\\\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "8744 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8744"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
8744 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:8744 · (tentative d'exploit)
|
Élevée
|
Moyen · 42
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8744
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8744
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8744 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "c2be107161e71ad5c4824760f1d10b16bfb51ace",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.454701133850898,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 8744,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "4c1eae578c85ef600a2ae7d34e1f5c886be5263b",
"event_fingerprint": "63e8f1b8ab01411ab67e9e488dbbbb6ac8810dff",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "7f430aec2304bc55badb7fc0ed10f2c8",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8744,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8744\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8744\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8744\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8744\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8744\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e34b62913597435a69c1dc572999b56107664d76",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8744,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8744\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:8744 \u00b7 (tentative d'exploit)",
"target_port_label": "8744 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8744,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8744,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:8744 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8744\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "8744 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8744"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
8183 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:8183 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8183
Chemin / cible
—
Service
TLS
Payload
�����������h�i����7NI�8�;{8��x�{�J�S/W��P�� ~-�t[x���Բ$ �h��kD���g���j/v`'��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������h�i����7NI�8�;{8��x�{�J�S/W��P�� ~-�t[x���Բ$��h��kD���g���j/v`'��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�����������h�i����7NI�8�;{8��x�{�J�S/W��P�� ~-�t[x���Բ$ �h��kD���g���j/v`'��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.249547227158195,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 8183,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6b1b723153476ebbe104ac2adbe5dfe06c1c3c83",
"event_fingerprint": "4ef37818830f9a92ba09667349a1787f8b9fedc3",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "c4d297ad84de70107f28f4f18eff90a6",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8183,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffdi\ufffd\ufffd\u0019\ufffd7NI\u00018\ufffd;{8\ufffd\ufffdx\ufffd{\ufffdJ\ufffdS\/W\u0000\ufffdP\u0001\ufffd ~-\ufffdt[x\ufffd\ufffd\ufffd\u0532$\u000b\ufffdh\ufffd\ufffdkD\ufffd\ufffd\u0014g\ufffd\ufffd\u0015j\/v`'\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffdi\ufffd\ufffd\u0019\ufffd7NI\u00018\ufffd;{8\ufffd\ufffdx\ufffd{\ufffdJ\ufffdS\/W\u0000\ufffdP\u0001\ufffd ~-\ufffdt[x\ufffd\ufffd\ufffd\u0532$\u000b\ufffdh\ufffd\ufffdkD\ufffd\ufffd\u0014g\ufffd\ufffd\u0015j\/v`'\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffdi\ufffd\ufffd\u0019\ufffd7NI\u00018\ufffd;{8\ufffd\ufffdx\ufffd{\ufffdJ\ufffdS\/W\u0000\ufffdP\u0001\ufffd ~-\ufffdt[x\ufffd\ufffd\ufffd\u0532$\u000b\ufffdh\ufffd\ufffdkD\ufffd\ufffd\u0014g\ufffd\ufffd\u0015j\/v`'\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a4be7f1e19d7f5d51329807afba3b2cca64a9ee8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffdi\ufffd\ufffd\u0019\ufffd7NI\u00018\ufffd;{8\ufffd\ufffdx\ufffd{\ufffdJ\ufffdS\/W\u0000\ufffdP\u0001\ufffd ~-\ufffdt[x\ufffd\ufffd\ufffd\u0532$\u000b\ufffdh\ufffd\ufffdkD\ufffd\ufffd\u0014g\ufffd\ufffd\u0015j\/v`'\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8183,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffdh\ufffdi\ufffd\ufffd\ufffd7NI8\ufffd;{8\ufffd\ufffdx\ufffd{\ufffdJ\ufffdS\/W\ufffdP\ufffd ~-\ufffdt[x\ufffd\ufffd\ufffd\u0532$\ufffdh\ufffd\ufffdkD\ufffd\ufffdg\ufffd\ufffdj\/v`'\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:8183 \u00b7 (sonde \/ probe)",
"target_port_label": "8183 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8183,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffdi\ufffd\ufffd\u0019\ufffd7NI\u00018\ufffd;{8\ufffd\ufffdx\ufffd{\ufffdJ\ufffdS\/W\u0000\ufffdP\u0001\ufffd ~-\ufffdt[x\ufffd\ufffd\ufffd\u0532$\u000b\ufffdh\ufffd\ufffdkD\ufffd\ufffd\u0014g\ufffd\ufffd\u0015j\/v`'\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8183,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:8183 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffdh\ufffdi\ufffd\ufffd\ufffd7NI8\ufffd;{8\ufffd\ufffdx\ufffd{\ufffdJ\ufffdS\/W\ufffdP\ufffd ~-\ufffdt[x\ufffd\ufffd\ufffd\u0532$\ufffdh\ufffd\ufffdkD\ufffd\ufffdg\ufffd\ufffdj\/v`'\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "8183 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8183"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
8183 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:8183 · (tentative d'exploit)
|
Élevée
|
Moyen · 47
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8183
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8183
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8183 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "0ffb263da3221f865f2cd9e254632a1fcc596066",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.452711190193076,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 8183,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 47,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "a21e5f1ce88e4b695f1e59c4bb5255a259287cad",
"event_fingerprint": "f432632d479c26f8fa55f053ca79532513fc63f5",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "e922c98e2e2cb1aa13e8b1d548af02ed",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8183,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8183\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8183\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8183\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8183\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8183\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0a814d915ed9cfd5eba478889f3c9c5b529a3654",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8183,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8183\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:8183 \u00b7 (tentative d'exploit)",
"target_port_label": "8183 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8183,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8183,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:8183 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8183\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "8183 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8183"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
8507 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:8507 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8507
Chemin / cible
—
Service
TLS
Payload
�����������������;H������g�WxP��^�CJ�N�%xZ �����b�`@.4S����Pg% :�~P�Ҟ0��;�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������������;H������g�WxP��^�CJ�N�%xZ �����b�`@.4S����Pg%�:�~P�Ҟ0��;�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�����������������;H������g�WxP��^�CJ�N�%xZ �����b�`@.4S����Pg% :�~P�Ҟ0��;�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.292645637716166,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 8507,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6c9b6ab3ddad7b4f6ff1cec5487c09f9a17d92d5",
"event_fingerprint": "246ca0ed4263be29b874e9d035f112b51f5591a3",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "2cdc5ad204176ccc821d77e2b0488ebd",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8507,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0002\u001e\ufffd\ufffd;H\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdWxP\ufffd\ufffd^\ufffdCJ\bN\ufffd%xZ \ufffd\ufffd\ufffd\u0003\ufffdb\u0018`@.4S\u0019\ufffd\u0002\ufffdPg%\f:\u0005~P\u0014\u049e0\ufffd\ufffd;\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0002\u001e\ufffd\ufffd;H\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdWxP\ufffd\ufffd^\ufffdCJ\bN\ufffd%xZ \ufffd\ufffd\ufffd\u0003\ufffdb\u0018`@.4S\u0019\ufffd\u0002\ufffdPg%\f:\u0005~P\u0014\u049e0\ufffd\ufffd;\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0002\u001e\ufffd\ufffd;H\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdWxP\ufffd\ufffd^\ufffdCJ\bN\ufffd%xZ \ufffd\ufffd\ufffd\u0003\ufffdb\u0018`@.4S\u0019\ufffd\u0002\ufffdPg%\f:\u0005~P\u0014\u049e0\ufffd\ufffd;\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "20e6b7593164e749b0877fc93f9fc5ccd94a664b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0002\u001e\ufffd\ufffd;H\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdWxP\ufffd\ufffd^\ufffdCJ\bN\ufffd%xZ \ufffd\ufffd\ufffd\u0003\ufffdb\u0018`@.4S\u0019\ufffd\u0002\ufffdPg%\f:\u0005~P\u0014\u049e0\ufffd\ufffd;\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8507,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd;H\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdWxP\ufffd\ufffd^\ufffdCJN\ufffd%xZ \ufffd\ufffd\ufffd\ufffdb`@.4S\ufffd\ufffdPg%:~P\u049e0\ufffd\ufffd;\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:8507 \u00b7 (sonde \/ probe)",
"target_port_label": "8507 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8507,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0002\u001e\ufffd\ufffd;H\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdWxP\ufffd\ufffd^\ufffdCJ\bN\ufffd%xZ \ufffd\ufffd\ufffd\u0003\ufffdb\u0018`@.4S\u0019\ufffd\u0002\ufffdPg%\f:\u0005~P\u0014\u049e0\ufffd\ufffd;\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8507,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:8507 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd;H\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdg\ufffdWxP\ufffd\ufffd^\ufffdCJN\ufffd%xZ \ufffd\ufffd\ufffd\ufffdb`@.4S\ufffd\ufffdPg%:~P\u049e0\ufffd\ufffd;\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "8507 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8507"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
8507 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:8507 · (tentative d'exploit)
|
Élevée
|
Moyen · 44
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8507
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8507
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8507 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "194518478c279c07435f773c174fa5e3234ccaee",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.450086963852543,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 8507,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "eb4aa22ad593a07dcc69d61988156bec7719b7c2",
"event_fingerprint": "34b125e95d91395a91af5cb5ec15bc284e7a2ec2",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "eccfb1f7d13dc30c248048a652ba4e88",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8507,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8507\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8507\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8507\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8507\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8507\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a0c62876bf3db64f1ba2be065ddc50f24682d4b0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8507,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8507\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:8507 \u00b7 (tentative d'exploit)",
"target_port_label": "8507 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8507,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8507,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:8507 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8507\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "8507 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8507"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
8748 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:8748 · (tentative d'exploit)
|
Élevée
|
Moyen · 43
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8748
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 43
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8748
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8748 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "07f375eb2876429b80882347bd1fcd455b2147b2",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.456843371876646,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 8748,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 43,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "be06a7d7f6c7345f43109c833c4ae5e32f7c4c45",
"event_fingerprint": "2b9e07508cad99e6b5783e2a39b82cb677467e88",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "c128647dd5cb6a4d4a68a899dfad9699",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8748,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8748\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8748\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8748\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8748\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8748\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d2ab8b300423c39d142ddafcc60b4aa2e44fe51c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8748,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8748\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:8748 \u00b7 (tentative d'exploit)",
"target_port_label": "8748 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 43,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8748,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8748,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:8748 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8748\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "8748 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8748"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
8748 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:8748 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8748
Chemin / cible
—
Service
TLS
Payload
����������������x����O�&r���A(�������>S+�6 <dn|�B�Q��#l.s�X���������P�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����������������x����O�&r���A(�������>S+�6 <dn|�B�Q��#l.s�X���������P�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
����������������x����O�&r���A(�������>S+�6 <dn|�B�Q��#l.s�X���������P�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.29079851808659,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 8748,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "d930af59f825ab6dbd43913e583b2c5bb1cda037",
"event_fingerprint": "3fb24253ed6a0912bdf3c72927fea2017248eee3",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "2bab8a2c15ceb975bd35b0b804d4a823",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8748,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\u0011\u001e\ufffdO\ufffd&r\ufffd\ufffd\u001cA(\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>S+\ufffd6 <dn|\ufffdB\ufffdQ\ufffd\ufffd#l.s\ufffdX\ufffd\u0001\u0003\ufffd\ufffd\u0019\ufffd\ufffd\ufffdP\u001d\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\u0011\u001e\ufffdO\ufffd&r\ufffd\ufffd\u001cA(\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>S+\ufffd6 <dn|\ufffdB\ufffdQ\ufffd\ufffd#l.s\ufffdX\ufffd\u0001\u0003\ufffd\ufffd\u0019\ufffd\ufffd\ufffdP\u001d\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\u0011\u001e\ufffdO\ufffd&r\ufffd\ufffd\u001cA(\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>S+\ufffd6 <dn|\ufffdB\ufffdQ\ufffd\ufffd#l.s\ufffdX\ufffd\u0001\u0003\ufffd\ufffd\u0019\ufffd\ufffd\ufffdP\u001d\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "722567caab2b3c20ec5ed863037e67860c655ad7",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\u0011\u001e\ufffdO\ufffd&r\ufffd\ufffd\u001cA(\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>S+\ufffd6 <dn|\ufffdB\ufffdQ\ufffd\ufffd#l.s\ufffdX\ufffd\u0001\u0003\ufffd\ufffd\u0019\ufffd\ufffd\ufffdP\u001d\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8748,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffdO\ufffd&r\ufffd\ufffdA(\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>S+\ufffd6 <dn|\ufffdB\ufffdQ\ufffd\ufffd#l.s\ufffdX\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:8748 \u00b7 (sonde \/ probe)",
"target_port_label": "8748 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8748,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\u0011\u001e\ufffdO\ufffd&r\ufffd\ufffd\u001cA(\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>S+\ufffd6 <dn|\ufffdB\ufffdQ\ufffd\ufffd#l.s\ufffdX\ufffd\u0001\u0003\ufffd\ufffd\u0019\ufffd\ufffd\ufffdP\u001d\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8748,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:8748 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdx\ufffd\ufffdO\ufffd&r\ufffd\ufffdA(\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>S+\ufffd6 <dn|\ufffdB\ufffdQ\ufffd\ufffd#l.s\ufffdX\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "8748 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8748"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
29077 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:29077 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
29077
Chemin / cible
—
Service
TLS
Payload
������������qlQ�q�S�Ip�r�����5ǝu%|j4���K� ���&�T��u3��Pf��z�q?u<�Q!�<l�+��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������qlQ�q�S�Ip�r�����5ǝu%|j4���K� ���&�T��u3��Pf��z�q?u<�Q!�<l�+��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
������������qlQ�q�S�Ip�r�����5ǝu%|j4���K� ���&�T��u3��Pf��z�q?u<�Q!�<l�+��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.314898943505179,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 29077,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "477857f715c87efd3deb0d99d6110a829379838b",
"event_fingerprint": "e778e3ca5db35c35d1abda56f5170e102a875a94",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "9fb5e4d3d55b095f630d7f417dfb9887",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 29077,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdqlQ\ufffdq\ufffdS\ufffdIp\ufffdr\ufffd\u0004\ufffd\ufffd\ufffd5\u01ddu%|j4\u0010\ufffd\ufffdK\ufffd \u0012\ufffd\ufffd&\ufffdT\ufffd\ufffdu3\u0014\ufffdPf\u001f\ufffdz\ufffdq?u<\ufffdQ!\ufffd<l\ufffd+\u001f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdqlQ\ufffdq\ufffdS\ufffdIp\ufffdr\ufffd\u0004\ufffd\ufffd\ufffd5\u01ddu%|j4\u0010\ufffd\ufffdK\ufffd \u0012\ufffd\ufffd&\ufffdT\ufffd\ufffdu3\u0014\ufffdPf\u001f\ufffdz\ufffdq?u<\ufffdQ!\ufffd<l\ufffd+\u001f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdqlQ\ufffdq\ufffdS\ufffdIp\ufffdr\ufffd\u0004\ufffd\ufffd\ufffd5\u01ddu%|j4\u0010\ufffd\ufffdK\ufffd \u0012\ufffd\ufffd&\ufffdT\ufffd\ufffdu3\u0014\ufffdPf\u001f\ufffdz\ufffdq?u<\ufffdQ!\ufffd<l\ufffd+\u001f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "745059df4e510ce32ec7caee15bf2c14ea4bf8f9",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdqlQ\ufffdq\ufffdS\ufffdIp\ufffdr\ufffd\u0004\ufffd\ufffd\ufffd5\u01ddu%|j4\u0010\ufffd\ufffdK\ufffd \u0012\ufffd\ufffd&\ufffdT\ufffd\ufffdu3\u0014\ufffdPf\u001f\ufffdz\ufffdq?u<\ufffdQ!\ufffd<l\ufffd+\u001f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 29077,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdqlQ\ufffdq\ufffdS\ufffdIp\ufffdr\ufffd\ufffd\ufffd\ufffd5\u01ddu%|j4\ufffd\ufffdK\ufffd \ufffd\ufffd&\ufffdT\ufffd\ufffdu3\ufffdPf\ufffdz\ufffdq?u<\ufffdQ!\ufffd<l\ufffd+\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:29077 \u00b7 (sonde \/ probe)",
"target_port_label": "29077 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 29077,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdqlQ\ufffdq\ufffdS\ufffdIp\ufffdr\ufffd\u0004\ufffd\ufffd\ufffd5\u01ddu%|j4\u0010\ufffd\ufffdK\ufffd \u0012\ufffd\ufffd&\ufffdT\ufffd\ufffdu3\u0014\ufffdPf\u001f\ufffdz\ufffdq?u<\ufffdQ!\ufffd<l\ufffd+\u001f\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 29077,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:29077 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdqlQ\ufffdq\ufffdS\ufffdIp\ufffdr\ufffd\ufffd\ufffd\ufffd5\u01ddu%|j4\ufffd\ufffdK\ufffd \ufffd\ufffd&\ufffdT\ufffd\ufffdu3\ufffdPf\ufffdz\ufffdq?u<\ufffdQ!\ufffd<l\ufffd+\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "29077 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "29077"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
29077 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:29077 · (tentative d'exploit)
|
Élevée
|
Moyen · 47
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
29077
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:29077
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:29077 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/a
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "8bc7cd15a63164cf7150b806e43fcf775e449f86",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 400,
"payload_entropy": 5.454786393580445,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 29077,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 47,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b180d94bd1a2e37798f92989b5834dce39ccbc3c",
"event_fingerprint": "3602b34796b23a9adf7c3d59baea14c079291b25",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "4aaceea3d815cee771405f6810d2f140",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 29077,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29077\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29077\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29077\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29077\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29077\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "606504f12440915b00be6a12ccf9d88bdf2498f0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 29077,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29077\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"attack_vector": "xss attack \u00b7 via HTTP:29077 \u00b7 (tentative d'exploit)",
"target_port_label": "29077 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 29077,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 29077,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:29077 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29077\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"target_port_label": "29077 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "29077"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
198 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:198 · (tentative d'exploit)
|
Élevée
|
Moyen · 44
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
198
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:198
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:198 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apn
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "ee5712a32df69a19733bc941e030960cc0c7e937",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 398,
"payload_entropy": 5.452462209355972,
"port_category": "well_known",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 198,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "03a90a83c7a3b9b0012649b55ef6088847648f77",
"event_fingerprint": "bf94e09a15b6f7438d0c46660b7c636b4e4fff38",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "946f630b0ace44fb65ce39eca2004cf4",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 198,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:198\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:198\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apn",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:198\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:198\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apn",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:198\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2aec7bd1e46e4ae02edb136222334038c0f71e42",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 198,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:198\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"attack_vector": "xss attack \u00b7 via HTTP:198 \u00b7 (tentative d'exploit)",
"target_port_label": "198 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 198,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 198,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:198 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:198\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"target_port_label": "198 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "198"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
198 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:198 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
198
Chemin / cible
—
Service
TLS
Payload
�������������f�݊� ���O4���[��k��D��w�I�O�� ��}���q��D�<a\�"�Rw���[}��O�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������f�݊�
���O4���[��k��D��w�I�O�� ��}���q��D�<a\�"�Rw���[}��O�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�������������f�݊� ���O4���[��k��D��w�I�O�� ��}���q��D�<a\�"�Rw���[}��O�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.289287420970154,
"port_category": "well_known",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 198,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "04b322cb4f7785aef82c071cec04bdd153b8b041",
"event_fingerprint": "497d9d05cbe7b0563ea4b5451cea1485572da5a7",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "46b25cdba93f695420cda35611296b02",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 198,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdf\ufffd\u074a\u001d\r\ufffd\ufffd\ufffdO4\u0000\ufffd\u0018[\u001f\ufffdk\ufffd\ufffdD\ufffd\ufffdw\ufffdI\u0001O\ufffd\ufffd \u000f\ufffd}\ufffd\ufffd\ufffdq\u001e\ufffdD\ufffd<a\\\u0013\"\u0016Rw\ufffd\ufffd\ufffd[}\ufffd\ufffdO\ufffd\u001f\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdf\ufffd\u074a\u001d\r\ufffd\ufffd\ufffdO4\u0000\ufffd\u0018[\u001f\ufffdk\ufffd\ufffdD\ufffd\ufffdw\ufffdI\u0001O\ufffd\ufffd \u000f\ufffd}\ufffd\ufffd\ufffdq\u001e\ufffdD\ufffd<a\\\u0013\"\u0016Rw\ufffd\ufffd\ufffd[}\ufffd\ufffdO\ufffd\u001f\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdf\ufffd\u074a\u001d\r\ufffd\ufffd\ufffdO4\u0000\ufffd\u0018[\u001f\ufffdk\ufffd\ufffdD\ufffd\ufffdw\ufffdI\u0001O\ufffd\ufffd \u000f\ufffd}\ufffd\ufffd\ufffdq\u001e\ufffdD\ufffd<a\\\u0013\"\u0016Rw\ufffd\ufffd\ufffd[}\ufffd\ufffdO\ufffd\u001f\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c2a32488f0b59777bfec3f6826ee531afb854c4f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdf\ufffd\u074a\u001d\r\ufffd\ufffd\ufffdO4\u0000\ufffd\u0018[\u001f\ufffdk\ufffd\ufffdD\ufffd\ufffdw\ufffdI\u0001O\ufffd\ufffd \u000f\ufffd}\ufffd\ufffd\ufffdq\u001e\ufffdD\ufffd<a\\\u0013\"\u0016Rw\ufffd\ufffd\ufffd[}\ufffd\ufffdO\ufffd\u001f\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 198,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdf\ufffd\u074a\r\ufffd\ufffd\ufffdO4\ufffd[\ufffdk\ufffd\ufffdD\ufffd\ufffdw\ufffdIO\ufffd\ufffd \ufffd}\ufffd\ufffd\ufffdq\ufffdD\ufffd<a\\\"Rw\ufffd\ufffd\ufffd[}\ufffd\ufffdO\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:198 \u00b7 (sonde \/ probe)",
"target_port_label": "198 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 198,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdf\ufffd\u074a\u001d\r\ufffd\ufffd\ufffdO4\u0000\ufffd\u0018[\u001f\ufffdk\ufffd\ufffdD\ufffd\ufffdw\ufffdI\u0001O\ufffd\ufffd \u000f\ufffd}\ufffd\ufffd\ufffdq\u001e\ufffdD\ufffd<a\\\u0013\"\u0016Rw\ufffd\ufffd\ufffd[}\ufffd\ufffdO\ufffd\u001f\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 198,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:198 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdf\ufffd\u074a\r\ufffd\ufffd\ufffdO4\ufffd[\ufffdk\ufffd\ufffdD\ufffd\ufffdw\ufffdIO\ufffd\ufffd \ufffd}\ufffd\ufffd\ufffdq\ufffdD\ufffd<a\\\"Rw\ufffd\ufffd\ufffd[}\ufffd\ufffdO\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "198 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "198"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
9022 · Sonde registre (Nexus/Artifactory)
|
registry-probe
|
docker registry probe
docker registry probe · via Sonde registre (Nexus/Artifactory):9022 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
REGISTRY-PROBE
WAF
—
Recommandation
Surveiller
Tags
net_docker_registry_probe
registry_probe_emulated
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9022
Chemin / cible
—
Service
Sonde registre (Nexus/Artifactory)
Payload
�����������h� l�5�z���7��ԝ�B���ÀLw0oD[�� Ct|�ߣ8���N�yQUT�i� V��+�C��iת�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « docker_registry_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������h�
l�5�z���7��ԝ�B���ÀLw0oD[��
Ct|�ߣ8���N�yQUT�i� V��+�C��iת�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�����������h� l�5�z���7��ԝ�B���ÀLw0oD[�� Ct|�ߣ8���N�yQUT�i� V��+�C��iת�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742072656769737472795f70726f626520726561647920706f72743d393032320d0a",
"emulator_response_len": 45,
"bytes_in": 517,
"payload_entropy": 4.298327988451579,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "registry-probe",
"app_proto": "registry-probe",
"asn": 209896,
"country": "US",
"dst_port": 9022,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "71a391b7fe7ffcb887d9b163fcf75548f05f8e63",
"event_fingerprint": "40a95196e7afd453ef4a7bfce342cfbe8d816115",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab docker_registry_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"service_name": "registry-probe",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6c837ed338d2a477afb37f4ddcee1654",
"path_pattern_hash": "2e1ea7d0b20faa2966920ecaa9240c22"
},
"target_context": {
"dst_port": 9022,
"service": "registry-probe",
"service_name": "registry-probe",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffd\nl\ufffd5\u0010z\u0018\ufffd\ufffd7\ufffd\ufffd\u051d\u0014B\ufffd\ufffd\ufffd\u00c0Lw0oD[\ufffd\u0019\r Ct|\u0006\u07e38\ufffd\ufffd\ufffdN\ufffdyQUT\ufffdi\u0017\tV\ufffd\u0010+\ufffdC\u0010\ufffdi\u05ea\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffd\nl\ufffd5\u0010z\u0018\ufffd\ufffd7\ufffd\ufffd\u051d\u0014B\ufffd\ufffd\ufffd\u00c0Lw0oD[\ufffd\u0019\r Ct|\u0006\u07e38\ufffd\ufffd\ufffdN\ufffdyQUT\ufffdi\u0017\tV\ufffd\u0010+\ufffdC\u0010\ufffdi\u05ea\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffd\nl\ufffd5\u0010z\u0018\ufffd\ufffd7\ufffd\ufffd\u051d\u0014B\ufffd\ufffd\ufffd\u00c0Lw0oD[\ufffd\u0019\r Ct|\u0006\u07e38\ufffd\ufffd\ufffdN\ufffdyQUT\ufffdi\u0017\tV\ufffd\u0010+\ufffdC\u0010\ufffdi\u05ea\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab docker_registry_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"cloud_infra_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "184ac2359f3ed9c75b6980f9388cf179f3edf227",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffd\nl\ufffd5\u0010z\u0018\ufffd\ufffd7\ufffd\ufffd\u051d\u0014B\ufffd\ufffd\ufffd\u00c0Lw0oD[\ufffd\u0019\r Ct|\u0006\u07e38\ufffd\ufffd\ufffdN\ufffdyQUT\ufffdi\u0017\tV\ufffd\u0010+\ufffdC\u0010\ufffdi\u05ea\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"port": 9022,
"service": "registry-probe",
"service_label_fr": "Sonde registre (Nexus\/Artifactory)"
},
"evidence_snippet": "\ufffdh\ufffd\nl\ufffd5z\ufffd\ufffd7\ufffd\ufffd\u051dB\ufffd\ufffd\ufffd\u00c0Lw0oD[\ufffd\r Ct|\u07e38\ufffd\ufffd\ufffdN\ufffdyQUT\ufffdi\tV\ufffd+\ufffdC\ufffdi\u05ea\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "docker registry probe \u00b7 via Sonde registre (Nexus\/Artifactory):9022 \u00b7 (sonde \/ probe)",
"target_port_label": "9022 \u00b7 Sonde registre (Nexus\/Artifactory)",
"emulator_service": "registry-probe",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab docker_registry_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab docker_registry_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "registry-probe",
"service_label_fr": "Sonde registre (Nexus\/Artifactory)",
"dst_port": 9022,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-registry-probe",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003h\ufffd\nl\ufffd5\u0010z\u0018\ufffd\ufffd7\ufffd\ufffd\u051d\u0014B\ufffd\ufffd\ufffd\u00c0Lw0oD[\ufffd\u0019\r Ct|\u0006\u07e38\ufffd\ufffd\ufffdN\ufffdyQUT\ufffdi\u0017\tV\ufffd\u0010+\ufffdC\u0010\ufffdi\u05ea\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"port": 9022,
"service": "registry-probe",
"service_label_fr": "Sonde registre (Nexus\/Artifactory)"
},
"attack_vector": "docker registry probe \u00b7 via Sonde registre (Nexus\/Artifactory):9022 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffdh\ufffd\nl\ufffd5z\ufffd\ufffd7\ufffd\ufffd\u051dB\ufffd\ufffd\ufffd\u00c0Lw0oD[\ufffd\r Ct|\u07e38\ufffd\ufffd\ufffdN\ufffdyQUT\ufffdi\tV\ufffd+\ufffdC\ufffdi\u05ea\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "9022 \u00b7 Sonde registre (Nexus\/Artifactory)",
"emulator_service": "registry-probe",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "registry_probe",
"service_banner": "honeypot-registry-probe",
"service_os": "linux",
"dst_port": "9022"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_docker_registry_probe",
"registry_probe_emulated",
"tls_clienthello"
]
}
|
|
|
TCP |
9022 · Sonde registre (Nexus/Artifactory)
|
registry-probe
|
Cross-site scripting
xss attack · via Sonde registre (Nexus/Artifactory):9022 · (tentative d'exploit)
|
Élevée
|
Moyen · 42
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
Émulateur
REGISTRY-PROBE
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
net_docker_registry_probe
registry_probe_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9022
Chemin / cible
—
Service
Sonde registre (Nexus/Artifactory)
Payload
GET / HTTP/1.1 Host: 62.3.50.33:9022 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 42
Confiance : Confiance 59 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9022
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9022 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742072656769737472795f70726f626520726561647920706f72743d393032320d0a",
"emulator_response_len": 45,
"bytes_in": 399,
"payload_entropy": 5.453457835952659,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "registry-probe",
"app_proto": "registry-probe",
"asn": 209896,
"country": "US",
"dst_port": 9022,
"risk_waf": 8,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 8,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "ab93fde5071837913a1a3702b05b4b73c9811ad4",
"event_fingerprint": "40a95196e7afd453ef4a7bfce342cfbe8d816115",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 8,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 42
},
"named_classification_skipped": false,
"service_name": "registry-probe",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0a736dcc88975686eab5478b1028d514",
"path_pattern_hash": "e84c630ed8a3a6084c1b662f626e7300"
},
"target_context": {
"dst_port": 9022,
"service": "registry-probe",
"service_name": "registry-probe",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7ad5adc5a26fe68d4748cc6532b06715f57ce94a",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"port": 9022,
"service": "registry-probe",
"service_label_fr": "Sonde registre (Nexus\/Artifactory)"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via Sonde registre (Nexus\/Artifactory):9022 \u00b7 (tentative d'exploit)",
"target_port_label": "9022 \u00b7 Sonde registre (Nexus\/Artifactory)",
"emulator_service": "registry-probe",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via Sonde registre (Nexus\/Artifactory)",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 8,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 42
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "registry-probe",
"service_label_fr": "Sonde registre (Nexus\/Artifactory)",
"dst_port": 9022,
"protocol_emulated": true,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-registry-probe",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"port": 9022,
"service": "registry-probe",
"service_label_fr": "Sonde registre (Nexus\/Artifactory)"
},
"attack_vector": "xss attack \u00b7 via Sonde registre (Nexus\/Artifactory):9022 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9022\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "9022 \u00b7 Sonde registre (Nexus\/Artifactory)",
"emulator_service": "registry-probe",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "registry_probe",
"service_banner": "honeypot-registry-probe",
"service_os": "linux",
"dst_port": "9022"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_docker_registry_probe",
"registry_probe_emulated"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
9492 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:9492 · (tentative d'exploit)
|
Élevée
|
Moyen · 43
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9492
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 43
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9492
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9492 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "a07175102065597a4eedd8fa52c57906f5f21cea",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.456843371876647,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 9492,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 43,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "a63ccbe8d48707bad6e8073b833435f0514fc223",
"event_fingerprint": "2c9dc7417e521132743a39ca6cf5b1900076b973",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "4248cbf8a49e36ab37853928b72db2f3",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9492,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9492\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9492\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9492\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9492\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9492\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4336f87baca541e48bd7a9443c5b9b23265842a3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 9492,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9492\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:9492 \u00b7 (tentative d'exploit)",
"target_port_label": "9492 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 43,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9492,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 9492,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:9492 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9492\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "9492 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9492"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
9492 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:9492 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9492
Chemin / cible
—
Service
TLS
Payload
�����������}-�,)���m���S/������������|� 9� F��Iyw1����L� w��j,��-W�9X�'���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������}-�,)���m���S/������������|� 9� F��Iyw1����L� w��j,��-W�9X�'���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�����������}-�,)���m���S/������������|� 9� F��Iyw1����L� w��j,��-W�9X�'���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.292051175109536,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 9492,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "060a4fe98dd000fbdb93128a87aef26e84f16fdf",
"event_fingerprint": "c0793d5faa38cc84cec155b9f812712efbb808d9",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "c9baf3ecf5c65a5b09119299f01a2063",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 9492,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003}-\ufffd,)\ufffd\ufffd\ufffdm\u000f\ufffd\u0015S\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd|\ufffd\t9\ufffd F\ufffd\u001aIyw1\ufffd\ufffd\ufffd\u001cL\u0003 w\u001d\ufffdj,\u000e\ufffd-W\ufffd9X\ufffd'\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003}-\ufffd,)\ufffd\ufffd\ufffdm\u000f\ufffd\u0015S\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd|\ufffd\t9\ufffd F\ufffd\u001aIyw1\ufffd\ufffd\ufffd\u001cL\u0003 w\u001d\ufffdj,\u000e\ufffd-W\ufffd9X\ufffd'\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003}-\ufffd,)\ufffd\ufffd\ufffdm\u000f\ufffd\u0015S\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd|\ufffd\t9\ufffd F\ufffd\u001aIyw1\ufffd\ufffd\ufffd\u001cL\u0003 w\u001d\ufffdj,\u000e\ufffd-W\ufffd9X\ufffd'\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "78ea2351f3314f608ee38860eac2040849a30e77",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003}-\ufffd,)\ufffd\ufffd\ufffdm\u000f\ufffd\u0015S\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd|\ufffd\t9\ufffd F\ufffd\u001aIyw1\ufffd\ufffd\ufffd\u001cL\u0003 w\u001d\ufffdj,\u000e\ufffd-W\ufffd9X\ufffd'\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 9492,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd}-\ufffd,)\ufffd\ufffd\ufffdm\ufffdS\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd|\ufffd\t9\ufffd F\ufffdIyw1\ufffd\ufffd\ufffdL w\ufffdj,\ufffd-W\ufffd9X\ufffd'\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:9492 \u00b7 (sonde \/ probe)",
"target_port_label": "9492 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9492,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003}-\ufffd,)\ufffd\ufffd\ufffdm\u000f\ufffd\u0015S\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd|\ufffd\t9\ufffd F\ufffd\u001aIyw1\ufffd\ufffd\ufffd\u001cL\u0003 w\u001d\ufffdj,\u000e\ufffd-W\ufffd9X\ufffd'\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 9492,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:9492 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd}-\ufffd,)\ufffd\ufffd\ufffdm\ufffdS\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd|\ufffd\t9\ufffd F\ufffdIyw1\ufffd\ufffd\ufffdL w\ufffdj,\ufffd-W\ufffd9X\ufffd'\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "9492 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9492"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
9727 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:9727 · (tentative d'exploit)
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9727
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 46
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9727
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9727 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "ea12b9238f927046756100afdcbd6f7d672305eb",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.4559297679252685,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 9727,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "865fd9bf3f149d3defaaec95027aad06d2dea11c",
"event_fingerprint": "fb9f0eec6ef7d835cf83974a2e51119019ea26b4",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "51179df020b4c431ee9fc86b49adf8c2",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9727,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9727\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9727\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9727\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9727\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9727\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3c5a530f0fe0212b668757ae7dd8f1794d06a8e0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 9727,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9727\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:9727 \u00b7 (tentative d'exploit)",
"target_port_label": "9727 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9727,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 9727,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:9727 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9727\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "9727 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9727"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
9727 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:9727 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9727
Chemin / cible
—
Service
TLS
Payload
�����������ŴR���,;��z<Ď {yҍ�<�jx��c/�� � ��K���o�ғ���|��V�a�;%���G�y1���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ŴR���,;��z<Ď {yҍ�<�jx��c/��
� ��K���o�ғ���|��V�a�;%���G�y1���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�����������ŴR���,;��z<Ď {yҍ�<�jx��c/�� � ��K���o�ғ���|��V�a�;%���G�y1���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.326913054539763,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 9727,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b6ecbc934091500e37f11162073419b353e125f0",
"event_fingerprint": "b34f937ad367eef932017efa8e8385f4695dae05",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "62f5c41f7ce8e0c6be47c3e3874f220a",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 9727,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0174R\ufffd\ufffd\ufffd,;\ufffd\u0007z<\u010e {y\u048d\ufffd<\u0012jx\u000f\u0017c\/\u0006\ufffd\r\ufffd \ufffd\ufffdK\ufffd\ufffd\ufffdo\ufffd\u0493\ufffd\ufffd\ufffd|\ufffd\ufffdV\ufffda\ufffd;%\ufffd\ufffd\ufffdG\ufffdy1\u0017\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0174R\ufffd\ufffd\ufffd,;\ufffd\u0007z<\u010e {y\u048d\ufffd<\u0012jx\u000f\u0017c\/\u0006\ufffd\r\ufffd \ufffd\ufffdK\ufffd\ufffd\ufffdo\ufffd\u0493\ufffd\ufffd\ufffd|\ufffd\ufffdV\ufffda\ufffd;%\ufffd\ufffd\ufffdG\ufffdy1\u0017\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0174R\ufffd\ufffd\ufffd,;\ufffd\u0007z<\u010e {y\u048d\ufffd<\u0012jx\u000f\u0017c\/\u0006\ufffd\r\ufffd \ufffd\ufffdK\ufffd\ufffd\ufffdo\ufffd\u0493\ufffd\ufffd\ufffd|\ufffd\ufffdV\ufffda\ufffd;%\ufffd\ufffd\ufffdG\ufffdy1\u0017\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5e097dea9dfec486ea9b255d0943575a7da90081",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0174R\ufffd\ufffd\ufffd,;\ufffd\u0007z<\u010e {y\u048d\ufffd<\u0012jx\u000f\u0017c\/\u0006\ufffd\r\ufffd \ufffd\ufffdK\ufffd\ufffd\ufffdo\ufffd\u0493\ufffd\ufffd\ufffd|\ufffd\ufffdV\ufffda\ufffd;%\ufffd\ufffd\ufffdG\ufffdy1\u0017\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 9727,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\u0174R\ufffd\ufffd\ufffd,;\ufffdz<\u010e {y\u048d\ufffd<jxc\/\ufffd\r\ufffd \ufffd\ufffdK\ufffd\ufffd\ufffdo\ufffd\u0493\ufffd\ufffd\ufffd|\ufffd\ufffdV\ufffda\ufffd;%\ufffd\ufffd\ufffdG\ufffdy1\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:9727 \u00b7 (sonde \/ probe)",
"target_port_label": "9727 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9727,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0174R\ufffd\ufffd\ufffd,;\ufffd\u0007z<\u010e {y\u048d\ufffd<\u0012jx\u000f\u0017c\/\u0006\ufffd\r\ufffd \ufffd\ufffdK\ufffd\ufffd\ufffdo\ufffd\u0493\ufffd\ufffd\ufffd|\ufffd\ufffdV\ufffda\ufffd;%\ufffd\ufffd\ufffdG\ufffdy1\u0017\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 9727,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:9727 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\u0174R\ufffd\ufffd\ufffd,;\ufffdz<\u010e {y\u048d\ufffd<jxc\/\ufffd\r\ufffd \ufffd\ufffdK\ufffd\ufffd\ufffdo\ufffd\u0493\ufffd\ufffd\ufffd|\ufffd\ufffdV\ufffda\ufffd;%\ufffd\ufffd\ufffdG\ufffdy1\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "9727 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9727"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
9394 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:9394 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9394
Chemin / cible
—
Service
TLS
Payload
�����������ܕ)�stJ�Ӑ�.�P���F2��.f�)[݈� ���}c��)���v������T�M�P�]X�/I����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ܕ)�stJ�Ӑ�.�P���F2��.f�)[݈� ���}c��)���v������T�M�P�]X�/I����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�����������ܕ)�stJ�Ӑ�.�P���F2��.f�)[݈� ���}c��)���v������T�M�P�]X�/I����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.277615756237862,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 9394,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "93d6b309a484320f7213b083cdfb1d810b04f1dd",
"event_fingerprint": "0a625157024bc22a23c2b65020df0d77928a7112",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "63d5d91b51f325267565764134997902",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 9394,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0715)\ufffdst\u05f7J\ufffd\u04d0\ufffd.\ufffdP\ufffd\ufffd\ufffdF2\u0013\ufffd.f\ufffd)[\u0748\ufffd \u0017\ufffd\ufffd}c\ufffd\u0018)\u0001\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffdM\u0005P\ufffd]X\ufffd\/I\ufffd\b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0715)\ufffdst\u05f7J\ufffd\u04d0\ufffd.\ufffdP\ufffd\ufffd\ufffdF2\u0013\ufffd.f\ufffd)[\u0748\ufffd \u0017\ufffd\ufffd}c\ufffd\u0018)\u0001\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffdM\u0005P\ufffd]X\ufffd\/I\ufffd\b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0715)\ufffdst\u05f7J\ufffd\u04d0\ufffd.\ufffdP\ufffd\ufffd\ufffdF2\u0013\ufffd.f\ufffd)[\u0748\ufffd \u0017\ufffd\ufffd}c\ufffd\u0018)\u0001\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffdM\u0005P\ufffd]X\ufffd\/I\ufffd\b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "96d66d4232386724d4af87074748975e7467fc38",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0715)\ufffdst\u05f7J\ufffd\u04d0\ufffd.\ufffdP\ufffd\ufffd\ufffdF2\u0013\ufffd.f\ufffd)[\u0748\ufffd \u0017\ufffd\ufffd}c\ufffd\u0018)\u0001\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffdM\u0005P\ufffd]X\ufffd\/I\ufffd\b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 9394,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\u0715)\ufffdst\u05f7J\ufffd\u04d0\ufffd.\ufffdP\ufffd\ufffd\ufffdF2\ufffd.f\ufffd)[\u0748\ufffd \ufffd\ufffd}c\ufffd)\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffdMP\ufffd]X\ufffd\/I\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:9394 \u00b7 (sonde \/ probe)",
"target_port_label": "9394 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9394,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0715)\ufffdst\u05f7J\ufffd\u04d0\ufffd.\ufffdP\ufffd\ufffd\ufffdF2\u0013\ufffd.f\ufffd)[\u0748\ufffd \u0017\ufffd\ufffd}c\ufffd\u0018)\u0001\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffdM\u0005P\ufffd]X\ufffd\/I\ufffd\b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 9394,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:9394 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\u0715)\ufffdst\u05f7J\ufffd\u04d0\ufffd.\ufffdP\ufffd\ufffd\ufffdF2\ufffd.f\ufffd)[\u0748\ufffd \ufffd\ufffd}c\ufffd)\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffdMP\ufffd]X\ufffd\/I\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "9394 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9394"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
9394 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:9394 · (tentative d'exploit)
|
Élevée
|
Moyen · 42
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9394
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9394
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9394 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "1ab203c6b91c7115b615faafa4c81e9df65bc05c",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.45050421144311,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 9394,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "48f8a53e7cd2761cee62f6da01a9801e4fb00004",
"event_fingerprint": "6b0308ab3931a2f63d5250c456669d6acbd61342",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "3c3193d20ec71aadce4f3a3b32178d5f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9394,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9394\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9394\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9394\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9394\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9394\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "33a1fbcc9459f5c25239ec6e86722e85777a3e24",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 9394,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9394\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:9394 \u00b7 (tentative d'exploit)",
"target_port_label": "9394 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9394,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 9394,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:9394 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9394\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "9394 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9394"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
8244 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:8244 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8244
Chemin / cible
—
Service
TLS
Payload
�����������,Cܺ31������ �5������m��x��5� �5���eT�*�#|�ˠ������֫,��ؤ���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������,Cܺ31��������5������m��x��5� �5���eT�*�#|�ˠ������֫,��ؤ���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�����������,Cܺ31������ �5������m��x��5� �5���eT�*�#|�ˠ������֫,��ؤ���\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.297066678613742,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 8244,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 5.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "4dd5f51f19579990ee2fb4e189f71a4f1df1d316",
"event_fingerprint": "93c97d806c9aa07ab8588b1b88164002ff8f5eb2",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "8d1586bc0e6538379f274fd2821d8047",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8244,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,C\u073a31\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u000b\u00125\ufffd\ufffd\u0013\ufffd\u001c\u0011m\ufffd\u0011x\ufffd\ufffd5\ufffd \ufffd5\ufffd\ufffd\ufffdeT\ufffd*\ufffd#|\ufffd\u02e0\u0010\u0006\ufffd\ufffd\ufffd\ufffd\u05ab,\ufffd\u0016\u0624\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,C\u073a31\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u000b\u00125\ufffd\ufffd\u0013\ufffd\u001c\u0011m\ufffd\u0011x\ufffd\ufffd5\ufffd \ufffd5\ufffd\ufffd\ufffdeT\ufffd*\ufffd#|\ufffd\u02e0\u0010\u0006\ufffd\ufffd\ufffd\ufffd\u05ab,\ufffd\u0016\u0624\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,C\u073a31\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u000b\u00125\ufffd\ufffd\u0013\ufffd\u001c\u0011m\ufffd\u0011x\ufffd\ufffd5\ufffd \ufffd5\ufffd\ufffd\ufffdeT\ufffd*\ufffd#|\ufffd\u02e0\u0010\u0006\ufffd\ufffd\ufffd\ufffd\u05ab,\ufffd\u0016\u0624\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "64408936c2cf177fdef38f8be71b827755e049bf",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,C\u073a31\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u000b\u00125\ufffd\ufffd\u0013\ufffd\u001c\u0011m\ufffd\u0011x\ufffd\ufffd5\ufffd \ufffd5\ufffd\ufffd\ufffdeT\ufffd*\ufffd#|\ufffd\u02e0\u0010\u0006\ufffd\ufffd\ufffd\ufffd\u05ab,\ufffd\u0016\u0624\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8244,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd,C\u073a31\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\ufffdm\ufffdx\ufffd\ufffd5\ufffd \ufffd5\ufffd\ufffd\ufffdeT\ufffd*\ufffd#|\ufffd\u02e0\ufffd\ufffd\ufffd\ufffd\u05ab,\ufffd\u0624\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:8244 \u00b7 (sonde \/ probe)",
"target_port_label": "8244 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8244,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003,C\u073a31\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u000b\u00125\ufffd\ufffd\u0013\ufffd\u001c\u0011m\ufffd\u0011x\ufffd\ufffd5\ufffd \ufffd5\ufffd\ufffd\ufffdeT\ufffd*\ufffd#|\ufffd\u02e0\u0010\u0006\ufffd\ufffd\ufffd\ufffd\u05ab,\ufffd\u0016\u0624\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8244,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:8244 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd,C\u073a31\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\ufffdm\ufffdx\ufffd\ufffd5\ufffd \ufffd5\ufffd\ufffd\ufffdeT\ufffd*\ufffd#|\ufffd\u02e0\ufffd\ufffd\ufffd\ufffd\u05ab,\ufffd\u0624\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "8244 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8244"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
8244 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:8244 · (tentative d'exploit)
|
Élevée
|
Moyen · 47
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8244
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8244
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8244 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "7fc0b8210e17f3eef6ebe9240b2a389896ee1261",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.457821716552244,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 8244,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.7,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 47,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "364f293e67d59edb1849c3f69a7540eabfae3234",
"event_fingerprint": "12494e30482e5b8c3f630fdb68ad5c3e579528e1",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "38aace4ebe3be0c5ef474f43c53a27fc",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8244,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8244\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8244\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8244\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8244\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8244\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a6641d48d56707365dac6a0ad7ae6c030cce4b8d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8244,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8244\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:8244 \u00b7 (tentative d'exploit)",
"target_port_label": "8244 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8244,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8244,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:8244 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8244\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "8244 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8244"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
6999 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:6999 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
6999
Chemin / cible
—
Service
TLS
Payload
�����������������ʬ���l&Z�^�R=�?���������� g���%�JW� �2��l���*��у���4����B�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������������ʬ���l&Z�^�R=�?���������� g���%�JW�
�2��l���*��у���4����B�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�����������������ʬ���l&Z�^�R=�?���������� g���%�JW� �2��l���*��у���4����B�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.267709373534316,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 6999,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "203c9357c64138a1ba4c06e070c852b0122a73f0",
"event_fingerprint": "be9237eb33ad9e905c8c4533923c03694dbc259a",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "332e8410baf336ff7d836fc73702e64d",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 6999,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013\ufffd\ufffd\u02ac\ufffd\u0004\ufffdl&Z\ufffd^\ufffdR=\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd g\u001d\ufffd\ufffd%\ufffdJW\ufffd\n\ufffd2\ufffd\ufffdl\ufffd\ufffd\ufffd*\ufffd\ufffd\u0443\ufffd\ufffd\ufffd4\ufffd\ufffd\u0013\ufffdB\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013\ufffd\ufffd\u02ac\ufffd\u0004\ufffdl&Z\ufffd^\ufffdR=\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd g\u001d\ufffd\ufffd%\ufffdJW\ufffd\n\ufffd2\ufffd\ufffdl\ufffd\ufffd\ufffd*\ufffd\ufffd\u0443\ufffd\ufffd\ufffd4\ufffd\ufffd\u0013\ufffdB\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013\ufffd\ufffd\u02ac\ufffd\u0004\ufffdl&Z\ufffd^\ufffdR=\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd g\u001d\ufffd\ufffd%\ufffdJW\ufffd\n\ufffd2\ufffd\ufffdl\ufffd\ufffd\ufffd*\ufffd\ufffd\u0443\ufffd\ufffd\ufffd4\ufffd\ufffd\u0013\ufffdB\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "283f7d6a901cfe666301c77a5ec3a577190eb883",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013\ufffd\ufffd\u02ac\ufffd\u0004\ufffdl&Z\ufffd^\ufffdR=\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd g\u001d\ufffd\ufffd%\ufffdJW\ufffd\n\ufffd2\ufffd\ufffdl\ufffd\ufffd\ufffd*\ufffd\ufffd\u0443\ufffd\ufffd\ufffd4\ufffd\ufffd\u0013\ufffdB\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 6999,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u02ac\ufffd\ufffdl&Z\ufffd^\ufffdR=\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd g\ufffd\ufffd%\ufffdJW\ufffd\n\ufffd2\ufffd\ufffdl\ufffd\ufffd\ufffd*\ufffd\ufffd\u0443\ufffd\ufffd\ufffd4\ufffd\ufffd\ufffdB\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:6999 \u00b7 (sonde \/ probe)",
"target_port_label": "6999 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 6999,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013\ufffd\ufffd\u02ac\ufffd\u0004\ufffdl&Z\ufffd^\ufffdR=\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd g\u001d\ufffd\ufffd%\ufffdJW\ufffd\n\ufffd2\ufffd\ufffdl\ufffd\ufffd\ufffd*\ufffd\ufffd\u0443\ufffd\ufffd\ufffd4\ufffd\ufffd\u0013\ufffdB\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 6999,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:6999 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u02ac\ufffd\ufffdl&Z\ufffd^\ufffdR=\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd g\ufffd\ufffd%\ufffdJW\ufffd\n\ufffd2\ufffd\ufffdl\ufffd\ufffd\ufffd*\ufffd\ufffd\u0443\ufffd\ufffd\ufffd4\ufffd\ufffd\ufffdB\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "6999 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "6999"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
6999 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:6999 · (tentative d'exploit)
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6999
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 46
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:6999
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:6999 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "f3cbc4372aa422e4476d0f3e9fe8c49605069e50",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.451167525995719,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 6999,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f92d0862882acdd5ccab200ebf8056c247846dc7",
"event_fingerprint": "3fc090426439220399d136f61a88484b0fb4a4fe",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "bd0bcd1fdbef0a4e8dba53a16005c65e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 6999,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6999\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6999\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6999\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6999\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6999\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "411e872dbe793e9bf10770fc83d256e13ab74016",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 6999,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6999\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:6999 \u00b7 (tentative d'exploit)",
"target_port_label": "6999 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 6999,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 6999,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:6999 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6999\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "6999 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "6999"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
8515 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:8515 · (tentative d'exploit)
|
Élevée
|
Moyen · 45
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8515
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8515
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8515 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "899b38f4f8c4c31db31e626ab9dd6a35b405416e",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.452145870671314,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 8515,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3b0b2f7874f319cb27568cec85db6ce9ebf525ff",
"event_fingerprint": "9152d93cf4aa243e011eeae70272176197bdd704",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "540b4398097891987ccc9deb2651a4d5",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8515,
"service": "http",
"service_name": "http",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8515\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8515\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8515\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8515\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8515\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "586e0fd4e3f672485f594ba826a0e8eadc3d9fa4",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8515,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8515\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:8515 \u00b7 (tentative d'exploit)",
"target_port_label": "8515 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8515,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8515,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:8515 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8515\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "8515 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8515"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
8515 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:8515 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8515
Chemin / cible
—
Service
TLS
Payload
������������&�gJ"|@��D>as���%��fB��ʩ�w�K �8���z69�܌��� kfl'�j|��1��f��o��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������&�gJ"|@��D>as���%��fB��ʩ�w�K �8���z69�܌��� kfl'�j|��1��f��o��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
������������&�gJ"|@��D>as���%��fB��ʩ�w�K �8���z69�܌��� kfl'�j|��1��f��o��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.324489995322613,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 8515,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "564cc813a2acee4225a36018913bd2260c8fab0f",
"event_fingerprint": "17e9ca0be086315916cdecb2b0e4fa44e5f85125",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "06333535ed43b9e44ef05b97f1436df5",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8515,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&\ufffdgJ\"|@\ufffd\ufffdD>as\ufffd\ufffd\ufffd%\ufffd\ufffdfB\ufffd\ufffd\u02a9\ufffdw\ufffdK \ufffd8\ufffd\ufffd\ufffdz69\ufffd\u070c\ufffd\ufffd\ufffd\tkfl'\ufffdj|\ufffd\ufffd1\u001b\ufffdf\ufffd\ufffdo\u0001\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&\ufffdgJ\"|@\ufffd\ufffdD>as\ufffd\ufffd\ufffd%\ufffd\ufffdfB\ufffd\ufffd\u02a9\ufffdw\ufffdK \ufffd8\ufffd\ufffd\ufffdz69\ufffd\u070c\ufffd\ufffd\ufffd\tkfl'\ufffdj|\ufffd\ufffd1\u001b\ufffdf\ufffd\ufffdo\u0001\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&\ufffdgJ\"|@\ufffd\ufffdD>as\ufffd\ufffd\ufffd%\ufffd\ufffdfB\ufffd\ufffd\u02a9\ufffdw\ufffdK \ufffd8\ufffd\ufffd\ufffdz69\ufffd\u070c\ufffd\ufffd\ufffd\tkfl'\ufffdj|\ufffd\ufffd1\u001b\ufffdf\ufffd\ufffdo\u0001\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f81dd55ad58b9b343f2842565378f8f84975df07",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&\ufffdgJ\"|@\ufffd\ufffdD>as\ufffd\ufffd\ufffd%\ufffd\ufffdfB\ufffd\ufffd\u02a9\ufffdw\ufffdK \ufffd8\ufffd\ufffd\ufffdz69\ufffd\u070c\ufffd\ufffd\ufffd\tkfl'\ufffdj|\ufffd\ufffd1\u001b\ufffdf\ufffd\ufffdo\u0001\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8515,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd&\ufffdgJ\"|@\ufffd\ufffdD>as\ufffd\ufffd\ufffd%\ufffd\ufffdfB\ufffd\ufffd\u02a9\ufffdw\ufffdK \ufffd8\ufffd\ufffd\ufffdz69\ufffd\u070c\ufffd\ufffd\ufffd\tkfl'\ufffdj|\ufffd\ufffd1\ufffdf\ufffd\ufffdo\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:8515 \u00b7 (sonde \/ probe)",
"target_port_label": "8515 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8515,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&\ufffdgJ\"|@\ufffd\ufffdD>as\ufffd\ufffd\ufffd%\ufffd\ufffdfB\ufffd\ufffd\u02a9\ufffdw\ufffdK \ufffd8\ufffd\ufffd\ufffdz69\ufffd\u070c\ufffd\ufffd\ufffd\tkfl'\ufffdj|\ufffd\ufffd1\u001b\ufffdf\ufffd\ufffdo\u0001\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8515,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:8515 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd&\ufffdgJ\"|@\ufffd\ufffdD>as\ufffd\ufffd\ufffd%\ufffd\ufffdfB\ufffd\ufffd\u02a9\ufffdw\ufffdK \ufffd8\ufffd\ufffd\ufffdz69\ufffd\u070c\ufffd\ufffd\ufffd\tkfl'\ufffdj|\ufffd\ufffd1\ufffdf\ufffd\ufffdo\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "8515 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8515"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
9315 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:9315 · (tentative d'exploit)
|
Élevée
|
Moyen · 44
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9315
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9315
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9315 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "1c48d1e2aebb441987c35a4dd4ae227f531a29a4",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.448677003540353,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 9315,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e5ec6c2e2971f1e95fdaa62d944d3954e217a8f3",
"event_fingerprint": "94adb425f3bfec4a6e55bd293dc31d22c674a8b9",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "89ce0253770384153c741bb95c821c2c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9315,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9315\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9315\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9315\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9315\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9315\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3cd287118eb10d1899e8928bca9ce6a543949c0e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 9315,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9315\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:9315 \u00b7 (tentative d'exploit)",
"target_port_label": "9315 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9315,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 9315,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:9315 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9315\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "9315 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9315"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
9315 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:9315 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9315
Chemin / cible
—
Service
TLS
Payload
������������F�tT|�%6�ĕ�[QI�1���=uI ������� �7�$�{���b�H�V����s���q�>��8z�d�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������F�tT|�%6�ĕ�[QI�1���=uI ������� �7�$�{���b�H�V����s���q�>��8z�d�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
������������F�tT|�%6�ĕ�[QI�1���=uI ������� �7�$�{���b�H�V����s���q�>��8z�d�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.293204488461112,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 9315,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ca62757b1a9f14b8cea2d176a7da0f06e427e8b9",
"event_fingerprint": "6f11665c05c03e086c795025d3551d6e49537433",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "8f8e9c65614907f0e39b4ba26deda323",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 9315,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdF\u001etT|\u001f%6\ufffd\u0115\ufffd[QI\ufffd1\u0016\ufffd\ufffd=uI\t\ufffd\ufffd\ufffd\ufffd\u0006\u0000\u001f \ufffd7\ufffd$\ufffd{\ufffd\ufffd\ufffdb\u0000H\ufffdV\ufffd\u0002\u0004\ufffds\ufffd\ufffd\ufffdq\ufffd>\ufffd\u00068z\ufffdd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdF\u001etT|\u001f%6\ufffd\u0115\ufffd[QI\ufffd1\u0016\ufffd\ufffd=uI\t\ufffd\ufffd\ufffd\ufffd\u0006\u0000\u001f \ufffd7\ufffd$\ufffd{\ufffd\ufffd\ufffdb\u0000H\ufffdV\ufffd\u0002\u0004\ufffds\ufffd\ufffd\ufffdq\ufffd>\ufffd\u00068z\ufffdd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdF\u001etT|\u001f%6\ufffd\u0115\ufffd[QI\ufffd1\u0016\ufffd\ufffd=uI\t\ufffd\ufffd\ufffd\ufffd\u0006\u0000\u001f \ufffd7\ufffd$\ufffd{\ufffd\ufffd\ufffdb\u0000H\ufffdV\ufffd\u0002\u0004\ufffds\ufffd\ufffd\ufffdq\ufffd>\ufffd\u00068z\ufffdd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "01fe49e1bb851d2dc41ac7c9e7e03e811cc07f80",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdF\u001etT|\u001f%6\ufffd\u0115\ufffd[QI\ufffd1\u0016\ufffd\ufffd=uI\t\ufffd\ufffd\ufffd\ufffd\u0006\u0000\u001f \ufffd7\ufffd$\ufffd{\ufffd\ufffd\ufffdb\u0000H\ufffdV\ufffd\u0002\u0004\ufffds\ufffd\ufffd\ufffdq\ufffd>\ufffd\u00068z\ufffdd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 9315,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdFtT|%6\ufffd\u0115\ufffd[QI\ufffd1\ufffd\ufffd=uI\t\ufffd\ufffd\ufffd\ufffd \ufffd7\ufffd$\ufffd{\ufffd\ufffd\ufffdbH\ufffdV\ufffd\ufffds\ufffd\ufffd\ufffdq\ufffd>\ufffd8z\ufffdd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:9315 \u00b7 (sonde \/ probe)",
"target_port_label": "9315 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9315,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdF\u001etT|\u001f%6\ufffd\u0115\ufffd[QI\ufffd1\u0016\ufffd\ufffd=uI\t\ufffd\ufffd\ufffd\ufffd\u0006\u0000\u001f \ufffd7\ufffd$\ufffd{\ufffd\ufffd\ufffdb\u0000H\ufffdV\ufffd\u0002\u0004\ufffds\ufffd\ufffd\ufffdq\ufffd>\ufffd\u00068z\ufffdd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 9315,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:9315 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdFtT|%6\ufffd\u0115\ufffd[QI\ufffd1\ufffd\ufffd=uI\t\ufffd\ufffd\ufffd\ufffd \ufffd7\ufffd$\ufffd{\ufffd\ufffd\ufffdbH\ufffdV\ufffd\ufffds\ufffd\ufffd\ufffdq\ufffd>\ufffd8z\ufffdd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "9315 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9315"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
5770 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:5770 · (tentative d'exploit)
|
Élevée
|
Moyen · 43
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5770
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 43
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5770
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5770 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "b8f19349cf5080076260ba678c6e3b4db96054b3",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.44605277719982,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 5770,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 43,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "97eead679b45020628236ad399ce7acb9a485e6c",
"event_fingerprint": "31a07a053fe0646bb103142d8320747f37922531",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "a35cce0fe291673ee6b72b47df37703c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5770,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5770\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5770\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5770\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5770\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5770\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "99704ce807bb908661a921dab02911ef46cd4ded",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 5770,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5770\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:5770 \u00b7 (tentative d'exploit)",
"target_port_label": "5770 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 43,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5770,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 5770,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:5770 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5770\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "5770 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5770"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
5770 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:5770 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5770
Chemin / cible
—
Service
TLS
Payload
������������$� �T�o��'��F�W��^��+�܉���hP J(�_���.{e�$RS����M���_���M���H�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������$� �T�o��'��F�W��^��+�܉���hP J(�_���.{e�$RS����M���_���M���H�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
������������$� �T�o��'��F�W��^��+�܉���hP J(�_���.{e�$RS����M���_���M���H�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.288381523883233,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 5770,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "531356e559cfa55a1d36752f3c85414d8484463f",
"event_fingerprint": "92e498968251ba53596ad23a8bfa9fff86fec651",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "7a64e9f080ad020af287ecefd4729c03",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 5770,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd$\u0012\t\ufffdT\ufffdo\u000e\u0017'\ufffd\ufffdF\ufffdW\ufffd\ufffd^\ufffd\ufffd+\ufffd\u0709\ufffd\ufffd\u0004hP J(\ufffd_\ufffd\ufffd\ufffd.{e\ufffd$RS\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdH\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd$\u0012\t\ufffdT\ufffdo\u000e\u0017'\ufffd\ufffdF\ufffdW\ufffd\ufffd^\ufffd\ufffd+\ufffd\u0709\ufffd\ufffd\u0004hP J(\ufffd_\ufffd\ufffd\ufffd.{e\ufffd$RS\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdH\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd$\u0012\t\ufffdT\ufffdo\u000e\u0017'\ufffd\ufffdF\ufffdW\ufffd\ufffd^\ufffd\ufffd+\ufffd\u0709\ufffd\ufffd\u0004hP J(\ufffd_\ufffd\ufffd\ufffd.{e\ufffd$RS\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdH\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4b6cff7ccbc5e63583b4f56312f00872c5468ec3",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd$\u0012\t\ufffdT\ufffdo\u000e\u0017'\ufffd\ufffdF\ufffdW\ufffd\ufffd^\ufffd\ufffd+\ufffd\u0709\ufffd\ufffd\u0004hP J(\ufffd_\ufffd\ufffd\ufffd.{e\ufffd$RS\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdH\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 5770,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd$\t\ufffdT\ufffdo'\ufffd\ufffdF\ufffdW\ufffd\ufffd^\ufffd\ufffd+\ufffd\u0709\ufffd\ufffdhP J(\ufffd_\ufffd\ufffd\ufffd.{e\ufffd$RS\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdH\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:5770 \u00b7 (sonde \/ probe)",
"target_port_label": "5770 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 5770,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd$\u0012\t\ufffdT\ufffdo\u000e\u0017'\ufffd\ufffdF\ufffdW\ufffd\ufffd^\ufffd\ufffd+\ufffd\u0709\ufffd\ufffd\u0004hP J(\ufffd_\ufffd\ufffd\ufffd.{e\ufffd$RS\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdH\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 5770,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:5770 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd$\t\ufffdT\ufffdo'\ufffd\ufffdF\ufffdW\ufffd\ufffd^\ufffd\ufffd+\ufffd\u0709\ufffd\ufffdhP J(\ufffd_\ufffd\ufffd\ufffd.{e\ufffd$RS\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffdH\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "5770 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5770"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
3392 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:3392 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
3392
Chemin / cible
—
Service
TLS
Payload
������������aS���$w������:�Q�Di<��>%l��=o�P �U���b�����Ce>����p�Լ�~�i5Fr1�$�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������aS���$w������:�Q�Di<��>%l��=o�P �U���b�����Ce>����p�Լ�~�i5Fr1�$�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
������������aS���$w������:�Q�Di<��>%l��=o�P �U���b�����Ce>����p�Լ�~�i5Fr1�$�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.307236245578576,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 3392,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e650af6454eaafff65c720bcd8869e01c8a84286",
"event_fingerprint": "b1d39bd6e7115acb73f596abccac35b03856e8f3",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "663d2f0bd0d9a038e4cc4e7b32cc4b5b",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 3392,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdaS\ufffd\u001f\ufffd$w\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdQ\ufffdDi<\ufffd\u001b>%l\ufffd\ufffd=o\ufffdP \ufffdU\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\u0013\u0015Ce>\ufffd\u001e\u0000\ufffdp\ufffd\u053c\u0004~\u0007i5Fr1\ufffd$\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdaS\ufffd\u001f\ufffd$w\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdQ\ufffdDi<\ufffd\u001b>%l\ufffd\ufffd=o\ufffdP \ufffdU\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\u0013\u0015Ce>\ufffd\u001e\u0000\ufffdp\ufffd\u053c\u0004~\u0007i5Fr1\ufffd$\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdaS\ufffd\u001f\ufffd$w\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdQ\ufffdDi<\ufffd\u001b>%l\ufffd\ufffd=o\ufffdP \ufffdU\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\u0013\u0015Ce>\ufffd\u001e\u0000\ufffdp\ufffd\u053c\u0004~\u0007i5Fr1\ufffd$\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "03ce803ed7e4d8159d1ea51ec97e2f5e6b52a5cd",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdaS\ufffd\u001f\ufffd$w\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdQ\ufffdDi<\ufffd\u001b>%l\ufffd\ufffd=o\ufffdP \ufffdU\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\u0013\u0015Ce>\ufffd\u001e\u0000\ufffdp\ufffd\u053c\u0004~\u0007i5Fr1\ufffd$\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 3392,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdaS\ufffd\ufffd$w\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdQ\ufffdDi<\ufffd>%l\ufffd\ufffd=o\ufffdP \ufffdU\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffdCe>\ufffd\ufffdp\ufffd\u053c~i5Fr1\ufffd$\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:3392 \u00b7 (sonde \/ probe)",
"target_port_label": "3392 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 3392,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdaS\ufffd\u001f\ufffd$w\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdQ\ufffdDi<\ufffd\u001b>%l\ufffd\ufffd=o\ufffdP \ufffdU\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\u0013\u0015Ce>\ufffd\u001e\u0000\ufffdp\ufffd\u053c\u0004~\u0007i5Fr1\ufffd$\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 3392,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:3392 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdaS\ufffd\ufffd$w\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdQ\ufffdDi<\ufffd>%l\ufffd\ufffd=o\ufffdP \ufffdU\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffdCe>\ufffd\ufffdp\ufffd\u053c~i5Fr1\ufffd$\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "3392 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "3392"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
3392 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:3392 · (tentative d'exploit)
|
Élevée
|
Moyen · 44
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3392
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3392
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3392 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "dfaef514cf791308121fa9b08d0953bd65861803",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.450003632645568,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 3392,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "a6fb7bf33364626f7cb7470efdad209732eb9e94",
"event_fingerprint": "c07ee5e0b1760e605eae370d1cd37b2dd974155f",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "1d82da183659d972dd89347f4cdd7fff",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3392,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3392\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3392\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3392\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3392\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3392\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "266946e1f907731068b050f0266d28330b92bc4b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 3392,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3392\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:3392 \u00b7 (tentative d'exploit)",
"target_port_label": "3392 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 3392,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 3392,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:3392 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3392\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "3392 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "3392"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
8270 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:8270 · (tentative d'exploit)
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8270
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 46
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8270
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8270 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "78915ee80b97104c685a823088fbb60cfcb9734a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.454121150505268,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 8270,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e9b3754dd2ee9d901a97849380dcf14a0f3ebe70",
"event_fingerprint": "b82f761dccf29af8084b5e95b4cae8345aba1fe5",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "0f70d3a4bf08c848362e4b1aa74a5c64",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8270,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2faa464a7953c52dca006f8b02fddb2036178c83",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8270,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:8270 \u00b7 (tentative d'exploit)",
"target_port_label": "8270 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8270,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8270,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:8270 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "8270 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8270"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
8270 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:8270 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8270
Chemin / cible
—
Service
TLS
Payload
������������]��I�J��p3�T����y�L����AA`t�e�n [�>��^�,LIV?M���m�� qv>�C?S��/��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������]��I�J��p3�T����y�L����AA`t�e�n [�>��^�,LIV?M���m���qv>�C?S��/��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
������������]��I�J��p3�T����y�L����AA`t�e�n [�>��^�,LIV?M���m�� qv>�C?S��/��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.282264917591601,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 8270,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "9bedf7d33fe0c52e2ceaf446c641583091beda98",
"event_fingerprint": "6a653a534d4247342e9dee0c4a5fb82e7d970c14",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "b12f11b436a5f8b73222b807008854b7",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8270,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd]\u0011\u001dI\ufffdJ\u0014\ufffdp3\u0000T\ufffd\u001b\ufffd\ufffdy\ufffdL\ufffd\ufffd\ufffd\ufffdAA`t\ufffde\ufffdn [\ufffd>\ufffd\b^\ufffd,LIV?M\ufffd\ufffd\ufffdm\ufffd\u001b\u000bqv>\ufffdC?S\u0010\ufffd\/\u000e\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd]\u0011\u001dI\ufffdJ\u0014\ufffdp3\u0000T\ufffd\u001b\ufffd\ufffdy\ufffdL\ufffd\ufffd\ufffd\ufffdAA`t\ufffde\ufffdn [\ufffd>\ufffd\b^\ufffd,LIV?M\ufffd\ufffd\ufffdm\ufffd\u001b\u000bqv>\ufffdC?S\u0010\ufffd\/\u000e\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd]\u0011\u001dI\ufffdJ\u0014\ufffdp3\u0000T\ufffd\u001b\ufffd\ufffdy\ufffdL\ufffd\ufffd\ufffd\ufffdAA`t\ufffde\ufffdn [\ufffd>\ufffd\b^\ufffd,LIV?M\ufffd\ufffd\ufffdm\ufffd\u001b\u000bqv>\ufffdC?S\u0010\ufffd\/\u000e\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f981cb96879c802c3f2841452fa1d441e0c7b85d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd]\u0011\u001dI\ufffdJ\u0014\ufffdp3\u0000T\ufffd\u001b\ufffd\ufffdy\ufffdL\ufffd\ufffd\ufffd\ufffdAA`t\ufffde\ufffdn [\ufffd>\ufffd\b^\ufffd,LIV?M\ufffd\ufffd\ufffdm\ufffd\u001b\u000bqv>\ufffdC?S\u0010\ufffd\/\u000e\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8270,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd]I\ufffdJ\ufffdp3T\ufffd\ufffd\ufffdy\ufffdL\ufffd\ufffd\ufffd\ufffdAA`t\ufffde\ufffdn [\ufffd>\ufffd^\ufffd,LIV?M\ufffd\ufffd\ufffdm\ufffdqv>\ufffdC?S\ufffd\/\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:8270 \u00b7 (sonde \/ probe)",
"target_port_label": "8270 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8270,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd]\u0011\u001dI\ufffdJ\u0014\ufffdp3\u0000T\ufffd\u001b\ufffd\ufffdy\ufffdL\ufffd\ufffd\ufffd\ufffdAA`t\ufffde\ufffdn [\ufffd>\ufffd\b^\ufffd,LIV?M\ufffd\ufffd\ufffdm\ufffd\u001b\u000bqv>\ufffdC?S\u0010\ufffd\/\u000e\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8270,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:8270 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd]I\ufffdJ\ufffdp3T\ufffd\ufffd\ufffdy\ufffdL\ufffd\ufffd\ufffd\ufffdAA`t\ufffde\ufffdn [\ufffd>\ufffd^\ufffd,LIV?M\ufffd\ufffd\ufffdm\ufffdqv>\ufffdC?S\ufffd\/\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "8270 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8270"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
8548 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:8548 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8548
Chemin / cible
—
Service
TLS
Payload
����������������6�I��X�k �+K���@L?�Y�Y�X�f o�Bۊ��ſ�F�7 ��ʹ�Oo��*Ǒ`�b&!`�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����������������6�I��X�k��+K���@L?�Y�Y�X�f o�Bۊ��ſ�F�7
��ʹ�Oo��*Ǒ`�b&!`�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
����������������6�I��X�k �+K���@L?�Y�Y�X�f o�Bۊ��ſ�F�7 ��ʹ�Oo��*Ǒ`�b&!`�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.318775473705314,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 8548,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "53dffc4a6f41217f8fd42daeccaeecb85239bd23",
"event_fingerprint": "7d208fa288836afb8eed9b9583854a86ad1d8f25",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "13c094ba0b6a9cc1eb96b422236ab4e5",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8548,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd6\ufffdI\ufffd\ufffdX\u001ak\u000b\ufffd+K\ufffd\ufffd\ufffd@L?\ufffdY\ufffdY\ufffdX\ufffdf o\ufffdB\u06ca\ufffd\ufffd\u017f\ufffdF\u00167\r\ufffd\u0006\u02b9\ufffdOo\ufffd\u0002*\u01d1`\ufffdb&!`\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd6\ufffdI\ufffd\ufffdX\u001ak\u000b\ufffd+K\ufffd\ufffd\ufffd@L?\ufffdY\ufffdY\ufffdX\ufffdf o\ufffdB\u06ca\ufffd\ufffd\u017f\ufffdF\u00167\r\ufffd\u0006\u02b9\ufffdOo\ufffd\u0002*\u01d1`\ufffdb&!`\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd6\ufffdI\ufffd\ufffdX\u001ak\u000b\ufffd+K\ufffd\ufffd\ufffd@L?\ufffdY\ufffdY\ufffdX\ufffdf o\ufffdB\u06ca\ufffd\ufffd\u017f\ufffdF\u00167\r\ufffd\u0006\u02b9\ufffdOo\ufffd\u0002*\u01d1`\ufffdb&!`\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fbeb38bb417ff0e7b9c63acaa40dec9414d434d3",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd6\ufffdI\ufffd\ufffdX\u001ak\u000b\ufffd+K\ufffd\ufffd\ufffd@L?\ufffdY\ufffdY\ufffdX\ufffdf o\ufffdB\u06ca\ufffd\ufffd\u017f\ufffdF\u00167\r\ufffd\u0006\u02b9\ufffdOo\ufffd\u0002*\u01d1`\ufffdb&!`\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8548,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdI\ufffd\ufffdXk\ufffd+K\ufffd\ufffd\ufffd@L?\ufffdY\ufffdY\ufffdX\ufffdf o\ufffdB\u06ca\ufffd\ufffd\u017f\ufffdF7\r\ufffd\u02b9\ufffdOo\ufffd*\u01d1`\ufffdb&!`\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:8548 \u00b7 (sonde \/ probe)",
"target_port_label": "8548 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8548,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd6\ufffdI\ufffd\ufffdX\u001ak\u000b\ufffd+K\ufffd\ufffd\ufffd@L?\ufffdY\ufffdY\ufffdX\ufffdf o\ufffdB\u06ca\ufffd\ufffd\u017f\ufffdF\u00167\r\ufffd\u0006\u02b9\ufffdOo\ufffd\u0002*\u01d1`\ufffdb&!`\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 8548,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:8548 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdI\ufffd\ufffdXk\ufffd+K\ufffd\ufffd\ufffd@L?\ufffdY\ufffdY\ufffdX\ufffdf o\ufffdB\u06ca\ufffd\ufffd\u017f\ufffdF7\r\ufffd\u02b9\ufffdOo\ufffd*\u01d1`\ufffdb&!`\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "8548 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8548"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
8548 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:8548 · (tentative d'exploit)
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8548
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 46
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8548
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8548 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "778901aa94b4d57c5860e9824a2bf45528ab7bf4",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.455929767925268,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 8548,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "76f6bd8f48cfdabfc930f6b1afce530da983edd0",
"event_fingerprint": "2d908980bd27cbf1d0aebd53834d2bf53ef0e58d",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "a047d2116249122a3e8ac2c4d9c5c4eb",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8548,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8548\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8548\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8548\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8548\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8548\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c74c1380e284baceb2cb2abaec27bf25a19d0b38",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8548,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8548\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:8548 \u00b7 (tentative d'exploit)",
"target_port_label": "8548 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8548,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 8548,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:8548 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8548\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "8548 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8548"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
10006 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:10006 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10006
Chemin / cible
—
Service
TLS
Payload
������������&X.�(� ���o� S����7��G��q+��. �ϯ<P���53�����D�^��� -D�bs?_����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������&X.�(�����o��S����7��G��q+��. �ϯ<P���53�����D�^���
-D�bs?_����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
������������&X.�(� ���o� S����7��G��q+��. �ϯ<P���53�����D�^��� -D�bs?_����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.2777427814471345,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 10006,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "cd1664ea0d53b9da86315a032cbc77e5093d289a",
"event_fingerprint": "be1b4e824e4c14d1aa8e11f4b7c02ea0eec25051",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "28a0385d23cd720279526e08d75a272e",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 10006,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&X.\ufffd(\ufffd\f\ufffd\ufffd\ufffdo\ufffd\fS\ufffd\u0007\ufffd\ufffd7\ufffd\ufffdG\u000f\ufffd\u009aq+\ufffd\u0012. \ufffd\u03ef<P\ufffd\u0004\ufffd53\ufffd\ufffd\u001e\u0011\u0018D\u000e^\u001d\ufffd\u0018\r-D\ufffdbs?_\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&X.\ufffd(\ufffd\f\ufffd\ufffd\ufffdo\ufffd\fS\ufffd\u0007\ufffd\ufffd7\ufffd\ufffdG\u000f\ufffd\u009aq+\ufffd\u0012. \ufffd\u03ef<P\ufffd\u0004\ufffd53\ufffd\ufffd\u001e\u0011\u0018D\u000e^\u001d\ufffd\u0018\r-D\ufffdbs?_\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&X.\ufffd(\ufffd\f\ufffd\ufffd\ufffdo\ufffd\fS\ufffd\u0007\ufffd\ufffd7\ufffd\ufffdG\u000f\ufffd\u009aq+\ufffd\u0012. \ufffd\u03ef<P\ufffd\u0004\ufffd53\ufffd\ufffd\u001e\u0011\u0018D\u000e^\u001d\ufffd\u0018\r-D\ufffdbs?_\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "57529a3e2a834d60f7f3a8002a32e90a88dd1e15",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&X.\ufffd(\ufffd\f\ufffd\ufffd\ufffdo\ufffd\fS\ufffd\u0007\ufffd\ufffd7\ufffd\ufffdG\u000f\ufffd\u009aq+\ufffd\u0012. \ufffd\u03ef<P\ufffd\u0004\ufffd53\ufffd\ufffd\u001e\u0011\u0018D\u000e^\u001d\ufffd\u0018\r-D\ufffdbs?_\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 10006,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd&X.\ufffd(\ufffd\ufffd\ufffd\ufffdo\ufffdS\ufffd\ufffd\ufffd7\ufffd\ufffdG\ufffd\u009aq+\ufffd. \ufffd\u03ef<P\ufffd\ufffd53\ufffd\ufffdD^\ufffd\r-D\ufffdbs?_\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:10006 \u00b7 (sonde \/ probe)",
"target_port_label": "10006 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10006,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd&X.\ufffd(\ufffd\f\ufffd\ufffd\ufffdo\ufffd\fS\ufffd\u0007\ufffd\ufffd7\ufffd\ufffdG\u000f\ufffd\u009aq+\ufffd\u0012. \ufffd\u03ef<P\ufffd\u0004\ufffd53\ufffd\ufffd\u001e\u0011\u0018D\u000e^\u001d\ufffd\u0018\r-D\ufffdbs?_\ufffd\ufffd\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 10006,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:10006 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd&X.\ufffd(\ufffd\ufffd\ufffd\ufffdo\ufffdS\ufffd\ufffd\ufffd7\ufffd\ufffdG\ufffd\u009aq+\ufffd. \ufffd\u03ef<P\ufffd\ufffd53\ufffd\ufffdD^\ufffd\r-D\ufffdbs?_\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "10006 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10006"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
10006 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:10006 · (tentative d'exploit)
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10006
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 46
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10006
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10006 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/a
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "37575132636d5e10a6dcfabf83b91ac7136e115b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 400,
"payload_entropy": 5.438791950759986,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 10006,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "5273ab01a3a6a8f6159c865b90b1db9ee257ddd3",
"event_fingerprint": "2a5a31be885f09cf237d7573a0f7f9648c8453b8",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "41de0d567489ac535f777d43b7244609",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10006,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10006\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10006\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10006\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10006\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10006\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f896431ce88b8f6e9b402878a44f9a1fdcd36119",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 10006,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10006\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"attack_vector": "xss attack \u00b7 via HTTP:10006 \u00b7 (tentative d'exploit)",
"target_port_label": "10006 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10006,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 10006,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:10006 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10006\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"target_port_label": "10006 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10006"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
5779 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:5779 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5779
Chemin / cible
—
Service
TLS
Payload
��������������)h]�[9;b��^�(�t������/��p�7� J,&�3Ї����сx21�0���V/�,)Ա�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������)h]�[9;b��^�(�t������/��p�7� J,&�3Ї����сx21�0���V/�,)Ա�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
��������������)h]�[9;b��^�(�t������/��p�7� J,&�3Ї����сx21�0���V/�,)Ա�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.279195981596239,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 5779,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "2f7fcc28f35e84194cc531a0b08ab0d7c2efcaac",
"event_fingerprint": "112986b00fed2a8927b0fdb9c4a9fa599afc348b",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "1d51a088b294c09d789b42877a19d3fd",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 5779,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0001\ufffd)h]\ufffd[9;b\ufffd\ufffd^\ufffd(\ufffdt\ufffd\u0003\ufffd\u0016\ufffd\ufffd\/\ufffd\u0016p\ufffd7\ufffd J,&\ufffd3\u0407\ufffd\ufffd\ufffd\ufffd\u0441x21\ufffd0\ufffd\ufffd\u0016V\/\u001c,)\u0531\ufffd\ufffd\u0013\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0001\ufffd)h]\ufffd[9;b\ufffd\ufffd^\ufffd(\ufffdt\ufffd\u0003\ufffd\u0016\ufffd\ufffd\/\ufffd\u0016p\ufffd7\ufffd J,&\ufffd3\u0407\ufffd\ufffd\ufffd\ufffd\u0441x21\ufffd0\ufffd\ufffd\u0016V\/\u001c,)\u0531\ufffd\ufffd\u0013\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0001\ufffd)h]\ufffd[9;b\ufffd\ufffd^\ufffd(\ufffdt\ufffd\u0003\ufffd\u0016\ufffd\ufffd\/\ufffd\u0016p\ufffd7\ufffd J,&\ufffd3\u0407\ufffd\ufffd\ufffd\ufffd\u0441x21\ufffd0\ufffd\ufffd\u0016V\/\u001c,)\u0531\ufffd\ufffd\u0013\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bde7daf4f17e1940ecda1b9bfc58007488d1ac72",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0001\ufffd)h]\ufffd[9;b\ufffd\ufffd^\ufffd(\ufffdt\ufffd\u0003\ufffd\u0016\ufffd\ufffd\/\ufffd\u0016p\ufffd7\ufffd J,&\ufffd3\u0407\ufffd\ufffd\ufffd\ufffd\u0441x21\ufffd0\ufffd\ufffd\u0016V\/\u001c,)\u0531\ufffd\ufffd\u0013\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 5779,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd)h]\ufffd[9;b\ufffd\ufffd^\ufffd(\ufffdt\ufffd\ufffd\ufffd\ufffd\/\ufffdp\ufffd7\ufffd J,&\ufffd3\u0407\ufffd\ufffd\ufffd\ufffd\u0441x21\ufffd0\ufffd\ufffdV\/,)\u0531\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:5779 \u00b7 (sonde \/ probe)",
"target_port_label": "5779 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 5779,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0001\ufffd)h]\ufffd[9;b\ufffd\ufffd^\ufffd(\ufffdt\ufffd\u0003\ufffd\u0016\ufffd\ufffd\/\ufffd\u0016p\ufffd7\ufffd J,&\ufffd3\u0407\ufffd\ufffd\ufffd\ufffd\u0441x21\ufffd0\ufffd\ufffd\u0016V\/\u001c,)\u0531\ufffd\ufffd\u0013\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 5779,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:5779 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd)h]\ufffd[9;b\ufffd\ufffd^\ufffd(\ufffdt\ufffd\ufffd\ufffd\ufffd\/\ufffdp\ufffd7\ufffd J,&\ufffd3\u0407\ufffd\ufffd\ufffd\ufffd\u0441x21\ufffd0\ufffd\ufffdV\/,)\u0531\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "5779 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5779"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
5779 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:5779 · (tentative d'exploit)
|
Élevée
|
Moyen · 44
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5779
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5779
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5779 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "d38c2b40a0be0f424eb51b45375891e33d462e42",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.451895581272544,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 5779,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "bf7ed3ac6367fecdce96bd0d4a67658f62b9a64c",
"event_fingerprint": "d6d27e9c4886f5824beb44360af858d3960b3781",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "b6489791f61e8754b58191d62ecb91f0",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5779,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5779\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5779\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5779\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5779\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5779\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8dbf794f55f10cfb9bdc2ac254dd0cf2c25d2854",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 5779,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5779\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:5779 \u00b7 (tentative d'exploit)",
"target_port_label": "5779 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5779,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 5779,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:5779 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5779\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "5779 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5779"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
20201 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:20201 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
20201
Chemin / cible
—
Service
TLS
Payload
�������������#U8�j���r��':��RΈ�F�lp��V��� ��� ��FXC#"��'}S( �+8��EH�!�� ��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������#U8�j���r��':��RΈ�F�lp��V��� ��� ��FXC#"��'}S(��+8��EH�!�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�������������#U8�j���r��':��RΈ�F�lp��V��� ��� ��FXC#"��'}S( �+8��EH�!�� ��\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.258851884385366,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 20201,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "10605ac327ecc6cb75fa0377ecb2f9169287e027",
"event_fingerprint": "a6c1628c1f1839fd3a803299685f9e9f9210e215",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "606ca5650de380d9e3dfb1cb6eb7754f",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 20201,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd#U8\ufffdj\ufffd\ufffd\ufffdr\ufffd\u001a':\ufffd\ufffdR\u0388\ufffdF\u0000lp\ufffd\ufffdV\ufffd\ufffd\ufffd \u0019\ufffd\ufffd\t\ufffd\u0007FXC#\"\ufffd\u0018'}S(\f\ufffd+8\u0001\ufffdEH\ufffd!\ufffd\u0015\u000b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd#U8\ufffdj\ufffd\ufffd\ufffdr\ufffd\u001a':\ufffd\ufffdR\u0388\ufffdF\u0000lp\ufffd\ufffdV\ufffd\ufffd\ufffd \u0019\ufffd\ufffd\t\ufffd\u0007FXC#\"\ufffd\u0018'}S(\f\ufffd+8\u0001\ufffdEH\ufffd!\ufffd\u0015\u000b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd#U8\ufffdj\ufffd\ufffd\ufffdr\ufffd\u001a':\ufffd\ufffdR\u0388\ufffdF\u0000lp\ufffd\ufffdV\ufffd\ufffd\ufffd \u0019\ufffd\ufffd\t\ufffd\u0007FXC#\"\ufffd\u0018'}S(\f\ufffd+8\u0001\ufffdEH\ufffd!\ufffd\u0015\u000b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fc144dce4ca1a229c5973d97c73e2e68dbadd201",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd#U8\ufffdj\ufffd\ufffd\ufffdr\ufffd\u001a':\ufffd\ufffdR\u0388\ufffdF\u0000lp\ufffd\ufffdV\ufffd\ufffd\ufffd \u0019\ufffd\ufffd\t\ufffd\u0007FXC#\"\ufffd\u0018'}S(\f\ufffd+8\u0001\ufffdEH\ufffd!\ufffd\u0015\u000b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 20201,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd#U8\ufffdj\ufffd\ufffd\ufffdr\ufffd':\ufffd\ufffdR\u0388\ufffdFlp\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\t\ufffdFXC#\"\ufffd'}S(\ufffd+8\ufffdEH\ufffd!\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:20201 \u00b7 (sonde \/ probe)",
"target_port_label": "20201 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 20201,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd#U8\ufffdj\ufffd\ufffd\ufffdr\ufffd\u001a':\ufffd\ufffdR\u0388\ufffdF\u0000lp\ufffd\ufffdV\ufffd\ufffd\ufffd \u0019\ufffd\ufffd\t\ufffd\u0007FXC#\"\ufffd\u0018'}S(\f\ufffd+8\u0001\ufffdEH\ufffd!\ufffd\u0015\u000b\ufffd\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 20201,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:20201 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd#U8\ufffdj\ufffd\ufffd\ufffdr\ufffd':\ufffd\ufffdR\u0388\ufffdFlp\ufffd\ufffdV\ufffd\ufffd\ufffd \ufffd\ufffd\t\ufffdFXC#\"\ufffd'}S(\ufffd+8\ufffdEH\ufffd!\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "20201 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "20201"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
20201 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:20201 · (tentative d'exploit)
|
Élevée
|
Moyen · 45
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20201
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:20201
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/a
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "32f9bccd1079f462d85a1b757c38a4457ac3a7ce",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 400,
"payload_entropy": 5.449906043392605,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 20201,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ac0b0263ab00d2d3960442ec33c339cfc96233e2",
"event_fingerprint": "e411e573f5c716405f0435932e9eb32a089e26c4",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "5d2e6ee468691880ec8517c8885e12ec",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 20201,
"service": "http",
"service_name": "http",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ff987c1d53e4eae6fe4e137f76a147eb64e98591",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 20201,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"attack_vector": "xss attack \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)",
"target_port_label": "20201 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 20201,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 20201,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"target_port_label": "20201 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "20201"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
26447 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:26447 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
26447
Chemin / cible
—
Service
TLS
Payload
�������������r�Z�������Q����-�ﺸ�[a�����>% ~�Fo�\�N���2S̵¡u���k�B���Sa��l�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������r�Z�������Q����-�ﺸ�[a�����>% ~�Fo�\�N���2S̵¡u���k�B���Sa��l�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
�������������r�Z�������Q����-�ﺸ�[a�����>% ~�Fo�\�N���2S̵¡u���k�B���Sa��l�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.296294439622502,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 26447,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8880fabfb145f3f58cbcc384ff9d03735a39167d",
"event_fingerprint": "f8f03e6bdb43908faea3cdec7802385dc0cc2afa",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "1e1402adc513332232244ed5a3d68acd",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 26447,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdr\ufffdZ\u0012\u0011\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd\u0010\ufffd\ufffd-\ufffd\ufeb8\ufffd[a\ufffd\ufffd\ufffd\ufffd\ufffd>% ~\u001aFo\ufffd\\\ufffdN\ufffd\ufffd\ufffd2S\u0335\u00a1u\ufffd\ufffd\ufffdk\ufffdB\ufffd\ufffd\u0012Sa\ufffd\ufffdl\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdr\ufffdZ\u0012\u0011\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd\u0010\ufffd\ufffd-\ufffd\ufeb8\ufffd[a\ufffd\ufffd\ufffd\ufffd\ufffd>% ~\u001aFo\ufffd\\\ufffdN\ufffd\ufffd\ufffd2S\u0335\u00a1u\ufffd\ufffd\ufffdk\ufffdB\ufffd\ufffd\u0012Sa\ufffd\ufffdl\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdr\ufffdZ\u0012\u0011\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd\u0010\ufffd\ufffd-\ufffd\ufeb8\ufffd[a\ufffd\ufffd\ufffd\ufffd\ufffd>% ~\u001aFo\ufffd\\\ufffdN\ufffd\ufffd\ufffd2S\u0335\u00a1u\ufffd\ufffd\ufffdk\ufffdB\ufffd\ufffd\u0012Sa\ufffd\ufffdl\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1675691110f470556e821088c01e1acff57c9cad",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdr\ufffdZ\u0012\u0011\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd\u0010\ufffd\ufffd-\ufffd\ufeb8\ufffd[a\ufffd\ufffd\ufffd\ufffd\ufffd>% ~\u001aFo\ufffd\\\ufffdN\ufffd\ufffd\ufffd2S\u0335\u00a1u\ufffd\ufffd\ufffdk\ufffdB\ufffd\ufffd\u0012Sa\ufffd\ufffdl\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 26447,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdr\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd\ufffd\ufffd-\ufffd\ufeb8\ufffd[a\ufffd\ufffd\ufffd\ufffd\ufffd>% ~Fo\ufffd\\\ufffdN\ufffd\ufffd\ufffd2S\u0335\u00a1u\ufffd\ufffd\ufffdk\ufffdB\ufffd\ufffdSa\ufffd\ufffdl\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:26447 \u00b7 (sonde \/ probe)",
"target_port_label": "26447 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 26447,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdr\ufffdZ\u0012\u0011\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd\u0010\ufffd\ufffd-\ufffd\ufeb8\ufffd[a\ufffd\ufffd\ufffd\ufffd\ufffd>% ~\u001aFo\ufffd\\\ufffdN\ufffd\ufffd\ufffd2S\u0335\u00a1u\ufffd\ufffd\ufffdk\ufffdB\ufffd\ufffd\u0012Sa\ufffd\ufffdl\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 26447,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:26447 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdr\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd\ufffd\ufffd-\ufffd\ufeb8\ufffd[a\ufffd\ufffd\ufffd\ufffd\ufffd>% ~Fo\ufffd\\\ufffdN\ufffd\ufffd\ufffd2S\u0335\u00a1u\ufffd\ufffd\ufffdk\ufffdB\ufffd\ufffdSa\ufffd\ufffdl\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "26447 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "26447"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
26447 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:26447 · (tentative d'exploit)
|
Élevée
|
Moyen · 43
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
26447
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 43
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:26447
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:26447 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/a
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "5756f8d96c34b58fc01105c4e90b3c852315eee6",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 400,
"payload_entropy": 5.456525910584488,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 26447,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 43,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ac849c160fcac20c9fa380ef2bcfbd51c2b5d2c6",
"event_fingerprint": "f9e1d8d462084351bbba7345c6aa95a707dc30d8",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "1dc3fedc4a388eee9ac1f1893ba9d3d7",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 26447,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26447\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26447\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26447\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26447\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26447\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8a86fc41deffc8949f34b4c9019d1b7efe41a696",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 26447,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26447\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"attack_vector": "xss attack \u00b7 via HTTP:26447 \u00b7 (tentative d'exploit)",
"target_port_label": "26447 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 43,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 26447,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 26447,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:26447 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26447\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"target_port_label": "26447 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "26447"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
140 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:140 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
140
Chemin / cible
—
Service
TLS
Payload
������������lR̴��잂������Xj�l�b�����;)d� ���K����>)�@�7���\>�3��b��,����f�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������lR̴��잂������Xj�l�b�����;)d� ���K����>)�@�7���\>�3��b��,����f�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
������������lR̴��잂������Xj�l�b�����;)d� ���K����>)�@�7���\>�3��b��,����f�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.28926505256656,
"port_category": "well_known",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 140,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6182b51a1f142c788ef8f85b0ca596a6fd2ecfa6",
"event_fingerprint": "54e53dcbb6d99e7c73fa53b67389ac20c7a2a773",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "0c9c2b42067e43096edf2fb167530c81",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 140,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u001alR\u0334\ufffd\ufffd\uc782\ufffd\ufffd\u0000\u0012\ufffd\ufffdXj\ufffdl\u001bb\ufffd\ufffd\ufffd\ufffd\ufffd;)d\ufffd \ufffd\ufffd\ufffdK\ufffd\u0014\ufffd\ufffd>)\u0004@\ufffd7\ufffd\ufffd\ufffd\\>\ufffd3\ufffd\ufffdb\ufffd\ufffd,\ufffd\u0010\u0016\ufffdf\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u001alR\u0334\ufffd\ufffd\uc782\ufffd\ufffd\u0000\u0012\ufffd\ufffdXj\ufffdl\u001bb\ufffd\ufffd\ufffd\ufffd\ufffd;)d\ufffd \ufffd\ufffd\ufffdK\ufffd\u0014\ufffd\ufffd>)\u0004@\ufffd7\ufffd\ufffd\ufffd\\>\ufffd3\ufffd\ufffdb\ufffd\ufffd,\ufffd\u0010\u0016\ufffdf\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u001alR\u0334\ufffd\ufffd\uc782\ufffd\ufffd\u0000\u0012\ufffd\ufffdXj\ufffdl\u001bb\ufffd\ufffd\ufffd\ufffd\ufffd;)d\ufffd \ufffd\ufffd\ufffdK\ufffd\u0014\ufffd\ufffd>)\u0004@\ufffd7\ufffd\ufffd\ufffd\\>\ufffd3\ufffd\ufffdb\ufffd\ufffd,\ufffd\u0010\u0016\ufffdf\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dd55d702ebd9ec48f22233d8c7704bd8afbf38a9",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u001alR\u0334\ufffd\ufffd\uc782\ufffd\ufffd\u0000\u0012\ufffd\ufffdXj\ufffdl\u001bb\ufffd\ufffd\ufffd\ufffd\ufffd;)d\ufffd \ufffd\ufffd\ufffdK\ufffd\u0014\ufffd\ufffd>)\u0004@\ufffd7\ufffd\ufffd\ufffd\\>\ufffd3\ufffd\ufffdb\ufffd\ufffd,\ufffd\u0010\u0016\ufffdf\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 140,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffdlR\u0334\ufffd\ufffd\uc782\ufffd\ufffd\ufffd\ufffdXj\ufffdlb\ufffd\ufffd\ufffd\ufffd\ufffd;)d\ufffd \ufffd\ufffd\ufffdK\ufffd\ufffd\ufffd>)@\ufffd7\ufffd\ufffd\ufffd\\>\ufffd3\ufffd\ufffdb\ufffd\ufffd,\ufffd\ufffdf\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:140 \u00b7 (sonde \/ probe)",
"target_port_label": "140 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 140,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u001alR\u0334\ufffd\ufffd\uc782\ufffd\ufffd\u0000\u0012\ufffd\ufffdXj\ufffdl\u001bb\ufffd\ufffd\ufffd\ufffd\ufffd;)d\ufffd \ufffd\ufffd\ufffdK\ufffd\u0014\ufffd\ufffd>)\u0004@\ufffd7\ufffd\ufffd\ufffd\\>\ufffd3\ufffd\ufffdb\ufffd\ufffd,\ufffd\u0010\u0016\ufffdf\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 140,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:140 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffdlR\u0334\ufffd\ufffd\uc782\ufffd\ufffd\ufffd\ufffdXj\ufffdlb\ufffd\ufffd\ufffd\ufffd\ufffd;)d\ufffd \ufffd\ufffd\ufffdK\ufffd\ufffd\ufffd>)@\ufffd7\ufffd\ufffd\ufffd\\>\ufffd3\ufffd\ufffdb\ufffd\ufffd,\ufffd\ufffdf\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "140 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "140"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
140 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:140 · (tentative d'exploit)
|
Élevée
|
Moyen · 45
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
140
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:140
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apn
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "e884dc5b9047d9fad63167b73b898c12bb10d149",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 398,
"payload_entropy": 5.443476301509607,
"port_category": "well_known",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 140,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "d4bfe60187254f187a1c3712f92ea8140addff10",
"event_fingerprint": "5027d245c30812a9e2069bf76b1c25b2a4bfde2b",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "b6ac31400410e463c1efc4029d32e258",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 140,
"service": "http",
"service_name": "http",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:140\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:140\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apn",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:140\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:140\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apn",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:140\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5b81e915813e70281b58cfa03f2cacba495a8586",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 140,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:140\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"attack_vector": "xss attack \u00b7 via HTTP:140 \u00b7 (tentative d'exploit)",
"target_port_label": "140 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 140,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 140,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:140 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:140\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"target_port_label": "140 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "140"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
10700 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:10700 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10700
Chemin / cible
—
Service
TLS
Payload
���������������x�d�ҩSM�+"� D�0��B=�&M��{�? �7Q�4��������]>��'����)"Ay��>#�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������x�d�ҩSM�+"�
D�0��B=�&M��{�? �7Q�4��������]>��'����)"Ay��>#�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
���������������x�d�ҩSM�+"� D�0��B=�&M��{�? �7Q�4��������]>��'����)"Ay��>#�\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.274250231909075,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 10700,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "0a356dce252c011e727e7e457dbbf6601b7d3d2f",
"event_fingerprint": "8b4d5e6ae546165cd365efa961a9948808dedd89",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "b58b21c1246555754c941c88610cbd2a",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 10700,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0014\ufffdx\ufffdd\ufffd\u04a9SM\u001b+\"\ufffd\nD\ufffd0\ufffd\ufffdB=\ufffd&M\u0005\ufffd{\ufffd? \ufffd7Q\ufffd4\ufffd\ufffd\ufffd\u001c\ufffd\u0006\ufffd\ufffd]>\ufffd\u001d'\ufffd\b\u000f\ufffd)\"Ay\ufffd\ufffd>#\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0014\ufffdx\ufffdd\ufffd\u04a9SM\u001b+\"\ufffd\nD\ufffd0\ufffd\ufffdB=\ufffd&M\u0005\ufffd{\ufffd? \ufffd7Q\ufffd4\ufffd\ufffd\ufffd\u001c\ufffd\u0006\ufffd\ufffd]>\ufffd\u001d'\ufffd\b\u000f\ufffd)\"Ay\ufffd\ufffd>#\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0014\ufffdx\ufffdd\ufffd\u04a9SM\u001b+\"\ufffd\nD\ufffd0\ufffd\ufffdB=\ufffd&M\u0005\ufffd{\ufffd? \ufffd7Q\ufffd4\ufffd\ufffd\ufffd\u001c\ufffd\u0006\ufffd\ufffd]>\ufffd\u001d'\ufffd\b\u000f\ufffd)\"Ay\ufffd\ufffd>#\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7d6a306ae8aa08c39904d48ef55afea7412c88a8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0014\ufffdx\ufffdd\ufffd\u04a9SM\u001b+\"\ufffd\nD\ufffd0\ufffd\ufffdB=\ufffd&M\u0005\ufffd{\ufffd? \ufffd7Q\ufffd4\ufffd\ufffd\ufffd\u001c\ufffd\u0006\ufffd\ufffd]>\ufffd\u001d'\ufffd\b\u000f\ufffd)\"Ay\ufffd\ufffd>#\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 10700,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdx\ufffdd\ufffd\u04a9SM+\"\ufffd\nD\ufffd0\ufffd\ufffdB=\ufffd&M\ufffd{\ufffd? \ufffd7Q\ufffd4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]>\ufffd'\ufffd\ufffd)\"Ay\ufffd\ufffd>#\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:10700 \u00b7 (sonde \/ probe)",
"target_port_label": "10700 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10700,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0014\ufffdx\ufffdd\ufffd\u04a9SM\u001b+\"\ufffd\nD\ufffd0\ufffd\ufffdB=\ufffd&M\u0005\ufffd{\ufffd? \ufffd7Q\ufffd4\ufffd\ufffd\ufffd\u001c\ufffd\u0006\ufffd\ufffd]>\ufffd\u001d'\ufffd\b\u000f\ufffd)\"Ay\ufffd\ufffd>#\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 10700,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:10700 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdx\ufffdd\ufffd\u04a9SM+\"\ufffd\nD\ufffd0\ufffd\ufffdB=\ufffd&M\ufffd{\ufffd? \ufffd7Q\ufffd4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]>\ufffd'\ufffd\ufffd)\"Ay\ufffd\ufffd>#\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "10700 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10700"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
10700 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:10700 · (tentative d'exploit)
|
Élevée
|
Moyen · 43
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10700
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 43
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Ge
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/a
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "15ba8cc32e43d1c639f7d50c5a7d315d62b8b0cf",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 400,
"payload_entropy": 5.44042950584012,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 10700,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 43,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "125105c5da5caff5bbe3f8299e1b191801da4f67",
"event_fingerprint": "9cbcdb6b4d4c7b0dee8f08f5b246b780a38bd8f2",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "04a0f2cbb55523971b95a7e32f30ac8e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10700,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/a",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "79e9b1910ec8557896e5333f43eb1c1ac23b41d7",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 10700,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"attack_vector": "xss attack \u00b7 via HTTP:10700 \u00b7 (tentative d'exploit)",
"target_port_label": "10700 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 43,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 43,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10700,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 10700,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:10700 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Ge",
"target_port_label": "10700 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10700"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
5080 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:5080 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 511534a5dbb14457
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5080
Chemin / cible
—
Service
TLS
Payload
������������w����&9��z�>�pڔd�)�2�d���=�y , �3)�����h"��f-<&�ؘ69���sh.m�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������w����&9��z�>�pڔd�)�2�d���=�y , �3)�����h"��f-<&�ؘ69���sh.m�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v
Requête brute (extrait)
������������w����&9��z�>�pڔd�)�2�d���=�y , �3)�����h"��f-<&�ؘ69���sh.m�����\�������,�0̨̩�����]�a�+�/�����\�`�$�(�s�w�#�'�r�v� ��� ���������Q�������P�=���<���5���/�A�����W� ������� �������������������������#����������� �*�(����������� � � ��������������
Meta JSON brut
{
"tls_ja3_hash": "511534a5dbb144576d046b0d2aeb5fb7",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 6,
"bytes_in": 517,
"payload_entropy": 4.282847441055136,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "tls",
"app_proto": "tls",
"asn": 209896,
"country": "US",
"dst_port": 5080,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "0723de13f9d85b8a5322fd8868e532133ff26111",
"event_fingerprint": "20000a64051701b58262f9ba79c47b647d8176f9",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"payload_hash": "ef72d86482aaee509e003cdc191d5f24",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 5080,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdw\ufffd\ufffd\ufffd\ufffd&9\ufffd\u0019z\u001c>\ufffdp\u0694d\ufffd)\ufffd2\ufffdd\ufffd\ufffd\ufffd=\ufffdy\t, \ufffd3)\ufffd\ufffd\b\ufffd\ufffdh\"\ufffd\u0011f-<&\ufffd\u061869\ufffd\u0002\ufffdsh.m\ufffd\ufffd\ufffd\u0003\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdw\ufffd\ufffd\ufffd\ufffd&9\ufffd\u0019z\u001c>\ufffdp\u0694d\ufffd)\ufffd2\ufffdd\ufffd\ufffd\ufffd=\ufffdy\t, \ufffd3)\ufffd\ufffd\b\ufffd\ufffdh\"\ufffd\u0011f-<&\ufffd\u061869\ufffd\u0002\ufffdsh.m\ufffd\ufffd\ufffd\u0003\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd\u0000\/\u0000A\u0000\ufffd\u0001\u0000\u0001W\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdw\ufffd\ufffd\ufffd\ufffd&9\ufffd\u0019z\u001c>\ufffdp\u0694d\ufffd)\ufffd2\ufffdd\ufffd\ufffd\ufffd=\ufffdy\t, \ufffd3)\ufffd\ufffd\b\ufffd\ufffdh\"\ufffd\u0011f-<&\ufffd\u061869\ufffd\u0002\ufffdsh.m\ufffd\ufffd\ufffd\u0003\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b14b6c84906613c746dfbf1b1188b5bafeaca950",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdw\ufffd\ufffd\ufffd\ufffd&9\ufffd\u0019z\u001c>\ufffdp\u0694d\ufffd)\ufffd2\ufffdd\ufffd\ufffd\ufffd=\ufffdy\t, \ufffd3)\ufffd\ufffd\b\ufffd\ufffdh\"\ufffd\u0011f-<&\ufffd\u061869\ufffd\u0002\ufffdsh.m\ufffd\ufffd\ufffd\u0003\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 5080,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd&9\ufffdz>\ufffdp\u0694d\ufffd)\ufffd2\ufffdd\ufffd\ufffd\ufffd=\ufffdy\t, \ufffd3)\ufffd\ufffd\ufffd\ufffdh\"\ufffdf-<&\ufffd\u061869\ufffd\ufffdsh.m\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"attack_vector": "tls probe \u00b7 via TLS:5080 \u00b7 (sonde \/ probe)",
"target_port_label": "5080 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 5080,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdw\ufffd\ufffd\ufffd\ufffd&9\ufffd\u0019z\u001c>\ufffdp\u0694d\ufffd)\ufffd2\ufffdd\ufffd\ufffd\ufffd=\ufffdy\t, \ufffd3)\ufffd\ufffd\b\ufffd\ufffdh\"\ufffd\u0011f-<&\ufffd\u061869\ufffd\u0002\ufffdsh.m\ufffd\ufffd\ufffd\u0003\u0000\\\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"tls_ja3": "511534a5dbb144576d046b0d2aeb5fb7",
"port": 5080,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:5080 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd&9\ufffdz>\ufffdp\u0694d\ufffd)\ufffd2\ufffdd\ufffd\ufffd\ufffd=\ufffdy\t, \ufffd3)\ufffd\ufffd\ufffd\ufffdh\"\ufffdf-<&\ufffd\u061869\ufffd\ufffdsh.m\ufffd\ufffd\ufffd\\\ufffd,\ufffd0\u0329\u0328\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffd$\ufffd(\ufffds\ufffdw\ufffd#\ufffd'\ufffdr\ufffdv",
"target_port_label": "5080 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
5080 · HTTP
|
http
|
Cross-site scripting
xss attack · via HTTP:5080 · (tentative d'exploit)
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5080
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 46
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
SSRF Any-address SSRF
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/ap
Meta JSON brut
{
"http_header_count": 6,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0cb97fa2c09bb17e5169eb608f71e610635ab915",
"http_host_hash": "a6e59d7e6ed1118b9b8a459d3dae612e693a4699",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 399,
"payload_entropy": 5.4451943822106,
"port_category": "registered",
"org": "Contrust Solutions S.R.L.",
"service": "http",
"app_proto": "http",
"asn": 209896,
"country": "US",
"dst_port": 5080,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "7f098e897c445f45d4eaf0d72581980b596777f3",
"event_fingerprint": "c613f691adcf4e8a0c713182c98fb79973eb01b6",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284",
"pat-0324"
],
"matched_pattern_names": [
"CRS 941130",
"SSRF Any-address SSRF"
],
"pattern_ids": [
"pat-0284",
"pat-0324"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 209896,
"org": "Contrust Solutions S.R.L.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b5696a699925e22006af19488170e4e2",
"payload_hash": "4c813db6c9a55400561ef0acbc2cef75",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5080,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/ap",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ddcd784890de2be5d1b7a9405032006901388a53",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 5080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "xss attack \u00b7 via HTTP:5080 \u00b7 (tentative d'exploit)",
"target_port_label": "5080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5080,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36",
"port": 5080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:5080 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "5080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"behavior_alert_count": 1,
"behavior_priority": 96
}
|